Message ID | 20210324164650.128608-1-richard.henderson@linaro.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | target/i386: Verify memory operand for lcall and ljmp | expand |
On 24/03/21 17:46, Richard Henderson wrote: > These two opcodes only allow a memory operand. > > Lacking the check for a register operand, we used the A0 temp > without initialization, which led to a tcg abort. > > Buglink: https://bugs.launchpad.net/qemu/+bug/1921138 > Signed-off-by: Richard Henderson <richard.henderson@linaro.org> > --- > target/i386/tcg/translate.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c > index af1faf9342..880bc45561 100644 > --- a/target/i386/tcg/translate.c > +++ b/target/i386/tcg/translate.c > @@ -5061,6 +5061,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu) > gen_jr(s, s->T0); > break; > case 3: /* lcall Ev */ > + if (mod == 3) { > + goto illegal_op; > + } > gen_op_ld_v(s, ot, s->T1, s->A0); > gen_add_A0_im(s, 1 << ot); > gen_op_ld_v(s, MO_16, s->T0, s->A0); > @@ -5088,6 +5091,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu) > gen_jr(s, s->T0); > break; > case 5: /* ljmp Ev */ > + if (mod == 3) { > + goto illegal_op; > + } > gen_op_ld_v(s, ot, s->T1, s->A0); > gen_add_A0_im(s, 1 << ot); > gen_op_ld_v(s, MO_16, s->T0, s->A0); > Acked-by: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c index af1faf9342..880bc45561 100644 --- a/target/i386/tcg/translate.c +++ b/target/i386/tcg/translate.c @@ -5061,6 +5061,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu) gen_jr(s, s->T0); break; case 3: /* lcall Ev */ + if (mod == 3) { + goto illegal_op; + } gen_op_ld_v(s, ot, s->T1, s->A0); gen_add_A0_im(s, 1 << ot); gen_op_ld_v(s, MO_16, s->T0, s->A0); @@ -5088,6 +5091,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu) gen_jr(s, s->T0); break; case 5: /* ljmp Ev */ + if (mod == 3) { + goto illegal_op; + } gen_op_ld_v(s, ot, s->T1, s->A0); gen_add_A0_im(s, 1 << ot); gen_op_ld_v(s, MO_16, s->T0, s->A0);
These two opcodes only allow a memory operand. Lacking the check for a register operand, we used the A0 temp without initialization, which led to a tcg abort. Buglink: https://bugs.launchpad.net/qemu/+bug/1921138 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> --- target/i386/tcg/translate.c | 6 ++++++ 1 file changed, 6 insertions(+)