qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PULL 09/20] target/tricore: Fix out-of-bounds index in imask instru

From: Michael Tokarev
Subject: Re: [PULL 09/20] target/tricore: Fix out-of-bounds index in imask instruction
Date: Thu, 22 Jun 2023 10:43:16 +0300
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 
21.06.2023 19:14, Bastian Koppelmann wrote:

From: Siqi Chen <coc.cyqh@gmail.com>

When translating  "imask" instruction of Tricore architecture, QEMU did not 
check whether the register index was out of bounds, resulting in a global-buffer-overflow.

Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1698
Reported-by: Siqi Chen <coc.cyqh@gmail.com>
Signed-off-by: Siqi Chen <coc.cyqh@gmail.com>
Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Message-Id: <20230612065633.149152-1-coc.cyqh@gmail.com>
Message-Id: <20230612113245.56667-2-kbastian@mail.uni-paderborn.de>
---
  target/tricore/translate.c | 1 +
  1 file changed, 1 insertion(+)

diff --git a/target/tricore/translate.c b/target/tricore/translate.c
index 6712d98f6e..74faad4794 100644
--- a/target/tricore/translate.c
+++ b/target/tricore/translate.c
@@ -5339,6 +5339,7 @@ static void decode_rcrw_insert(DisasContext *ctx)
switch (op2) { 
      case OPC2_32_RCRW_IMASK:
+        CHECK_REG_PAIR(r4);
          tcg_gen_andi_tl(temp, cpu_gpr_d[r3], 0x1f);
          tcg_gen_movi_tl(temp2, (1 << width) - 1);
          tcg_gen_shl_tl(cpu_gpr_d[r4 + 1], temp2, temp);


Is it a -stable material?

Thanks,

/mjt
reply via email to
[Prev in Thread] Current Thread [Next in Thread]