qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] target/i386: Verify memory operand for lcall and ljmp

From: Paolo Bonzini
Subject: Re: [PATCH] target/i386: Verify memory operand for lcall and ljmp
Date: Wed, 24 Mar 2021 18:00:43 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 
On 24/03/21 17:46, Richard Henderson wrote:

These two opcodes only allow a memory operand.

Lacking the check for a register operand, we used the A0 temp
without initialization, which led to a tcg abort.

Buglink: https://bugs.launchpad.net/qemu/+bug/1921138
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
  target/i386/tcg/translate.c | 6 ++++++
  1 file changed, 6 insertions(+)

diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index af1faf9342..880bc45561 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -5061,6 +5061,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState 
*cpu)
              gen_jr(s, s->T0);
              break;
          case 3: /* lcall Ev */
+            if (mod == 3) {
+                goto illegal_op;
+            }
              gen_op_ld_v(s, ot, s->T1, s->A0);
              gen_add_A0_im(s, 1 << ot);
              gen_op_ld_v(s, MO_16, s->T0, s->A0);
@@ -5088,6 +5091,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState 
*cpu)
              gen_jr(s, s->T0);
              break;
          case 5: /* ljmp Ev */
+            if (mod == 3) {
+                goto illegal_op;
+            }
              gen_op_ld_v(s, ot, s->T1, s->A0);
              gen_add_A0_im(s, 1 << ot);
              gen_op_ld_v(s, MO_16, s->T0, s->A0);



Acked-by: Paolo Bonzini <pbonzini@redhat.com>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]