From: "Philippe Mathieu-Daudé" <philmd@linaro.org>
To: qemu-devel@nongnu.org
Cc: "Philippe Mathieu-Daudé" <philmd@linaro.org>,
"Jiaxun Yang" <jiaxun.yang@flygoat.com>,
"Aleksandar Rikalo" <aleksandar.rikalo@syrmia.com>,
"Aurelien Jarno" <aurelien@aurel32.net>,
"Peter Maydell" <peter.maydell@linaro.org>
Subject: [PATCH for-8.1 v2 2/2] target/mips: Avoid shift by negative number in page_table_walk_refill()
Date: Mon, 17 Jul 2023 23:35:04 +0200 [thread overview]
Message-ID: <20230717213504.24777-3-philmd@linaro.org> (raw)
In-Reply-To: <20230717213504.24777-1-philmd@linaro.org>
Coverity points out that in page_table_walk_refill() we can shift by
a negative number, which is undefined behaviour (CID 1452918,
1452920, 1452922). We already catch the negative directory_shift and
leaf_shift as being a "bail out early" case, but not until we've
already used them to calculated some offset values.
Move the calculation of the offset values to after we've done the
"return early if ptew > 1" check.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
[PMD: Check for ptew > 1, use unsigned type]
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
---
target/mips/tcg/sysemu/tlb_helper.c | 32 +++++++++++++++--------------
1 file changed, 17 insertions(+), 15 deletions(-)
diff --git a/target/mips/tcg/sysemu/tlb_helper.c b/target/mips/tcg/sysemu/tlb_helper.c
index e7be649b02..7dbc2e24c4 100644
--- a/target/mips/tcg/sysemu/tlb_helper.c
+++ b/target/mips/tcg/sysemu/tlb_helper.c
@@ -624,7 +624,7 @@ static uint64_t get_tlb_entry_layout(CPUMIPSState *env, uint64_t entry,
static int walk_directory(CPUMIPSState *env, uint64_t *vaddr,
int directory_index, bool *huge_page, bool *hgpg_directory_hit,
uint64_t *pw_entrylo0, uint64_t *pw_entrylo1,
- int directory_shift, int leaf_shift)
+ unsigned directory_shift, unsigned leaf_shift)
{
int dph = (env->CP0_PWCtl >> CP0PC_DPH) & 0x1;
int psn = (env->CP0_PWCtl >> CP0PC_PSN) & 0x3F;
@@ -730,21 +730,11 @@ static bool page_table_walk_refill(CPUMIPSState *env, vaddr address,
/* Other HTW configs */
int hugepg = (env->CP0_PWCtl >> CP0PC_HUGEPG) & 0x1;
-
- /* HTW Shift values (depend on entry size) */
- int directory_shift = (ptew > 1) ? -1 :
- (hugepg && (ptew == 1)) ? native_shift + 1 : native_shift;
- int leaf_shift = (ptew > 1) ? -1 :
- (ptew == 1) ? native_shift + 1 : native_shift;
+ unsigned directory_shift, leaf_shift;
/* Offsets into tables */
- int goffset = gindex << directory_shift;
- int uoffset = uindex << directory_shift;
- int moffset = mindex << directory_shift;
- int ptoffset0 = (ptindex >> 1) << (leaf_shift + 1);
- int ptoffset1 = ptoffset0 | (1 << (leaf_shift));
-
- uint32_t leafentry_size = 1 << (leaf_shift + 3);
+ unsigned goffset, uoffset, moffset, ptoffset0, ptoffset1;
+ uint32_t leafentry_size;
/* Starting address - Page Table Base */
uint64_t vaddr = env->CP0_PWBase;
@@ -766,10 +756,22 @@ static bool page_table_walk_refill(CPUMIPSState *env, vaddr address,
/* no structure to walk */
return false;
}
- if ((directory_shift == -1) || (leaf_shift == -1)) {
+ if (ptew > 1) {
return false;
}
+ /* HTW Shift values (depend on entry size) */
+ directory_shift = (hugepg && (ptew == 1)) ? native_shift + 1 : native_shift;
+ leaf_shift = (ptew == 1) ? native_shift + 1 : native_shift;
+
+ goffset = gindex << directory_shift;
+ uoffset = uindex << directory_shift;
+ moffset = mindex << directory_shift;
+ ptoffset0 = (ptindex >> 1) << (leaf_shift + 1);
+ ptoffset1 = ptoffset0 | (1 << (leaf_shift));
+
+ leafentry_size = 1 << (leaf_shift + 3);
+
/* Global Directory */
if (gdw > 0) {
vaddr |= goffset;
--
2.38.1
next prev parent reply other threads:[~2023-07-17 21:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-17 21:35 [PATCH for-8.1 v2 0/2] target/mips: Avoid shift by negative number in page_table_walk_refill() Philippe Mathieu-Daudé
2023-07-17 21:35 ` [PATCH for-8.1 v2 1/2] target/mips: Pass directory/leaf shift values to walk_directory() Philippe Mathieu-Daudé
2023-07-18 10:20 ` Peter Maydell
2023-07-17 21:35 ` Philippe Mathieu-Daudé [this message]
2023-07-18 5:59 ` [PATCH for-8.1 v2 2/2] target/mips: Avoid shift by negative number in page_table_walk_refill() Philippe Mathieu-Daudé
2023-07-18 10:25 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230717213504.24777-3-philmd@linaro.org \
--to=philmd@linaro.org \
--cc=aleksandar.rikalo@syrmia.com \
--cc=aurelien@aurel32.net \
--cc=jiaxun.yang@flygoat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).