From: Richard Henderson <richard.henderson@linaro.org>
To: wliang@stu.xidian.edu.cn, qemu-devel@nongnu.org,
Peter Maydell <peter.maydell@linaro.org>
Subject: Re: Fix a potential Use-after-free bug in handle_simd_shift_fpint_conv() (v6.2.0).
Date: Wed, 23 Feb 2022 09:13:33 -1000 [thread overview]
Message-ID: <3c7903dd-fc50-3b05-8419-0f5011c5e82c@linaro.org> (raw)
In-Reply-To: <5ec4ffe1.25b2.17f27005362.Coremail.wliang@stu.xidian.edu.cn>
On 2/23/22 04:33, wliang@stu.xidian.edu.cn wrote:
>
> Hi all,
>
> I find a potential Use-after-free bug in QEMU 6.2.0, which is in
> handle_simd_shift_fpint_conv()(./target/arm/translate-a64.c).
>
> At line 9048, a variable 'tcg_fpstatus' is freed by invoking tcg_temp_free_ptr(). However,
> at line 9050, the variable 'tcg_fpstatus' is subsequently use as the 3rd parameter of the
> function gen_helper_set_rmode. This may result in a use-after-free bug.
>
>
> 9048 tcg_temp_free_ptr(tcg_fpstatus);
> 9049 tcg_temp_free_i32(tcg_shift);
> 9050 gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
>
>
> I believe the bug can be fixed by invoking the gen_helper_set_rmode() before
> 'tcg_fpstatus' being freed by the tcg_temp_free_ptr().
>
>
> --- tcg_temp_free_ptr(tcg_fpstatus);
> 9049 tcg_temp_free_i32(tcg_shift);
> 9050 gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
> +++ tcg_temp_free_ptr(tcg_fpstatus);
>
> I'm looking forward to your confirmation.
The fix is correct. We just need the submission formatted properly, with your
Signed-off-by tag. When re-formatting, you can add my
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
r~
next prev parent reply other threads:[~2022-02-23 19:15 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-23 14:33 Fix a potential Use-after-free bug in handle_simd_shift_fpint_conv() (v6.2.0) wliang
2022-02-23 19:13 ` Richard Henderson [this message]
2022-02-25 4:05 ` wliang
2022-02-25 11:41 ` Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3c7903dd-fc50-3b05-8419-0f5011c5e82c@linaro.org \
--to=richard.henderson@linaro.org \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=wliang@stu.xidian.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).