[v2,2/5] target/ppc: powerpc_excp: Add excp_vectors bounds check

Commit Message

Fabiano Rosas Dec. 29, 2021, 4:57 p.m. UTC

The next patch will start accessing the excp_vectors array earlier in
the function, so add a bounds check as first thing here.

This converts the empty return on POWERPC_EXCP_NONE to an error. This
exception number never reaches this function and if it does it
probably means something else went wrong up the line.

Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>
---
 target/ppc/excp_helper.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Richard Henderson Dec. 30, 2021, 10:04 p.m. UTC | #1

On 12/29/21 8:57 AM, Fabiano Rosas wrote:
> The next patch will start accessing the excp_vectors array earlier in
> the function, so add a bounds check as first thing here.
> 
> This converts the empty return on POWERPC_EXCP_NONE to an error. This
> exception number never reaches this function and if it does it
> probably means something else went wrong up the line.
> 
> Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>


r~

Cédric Le Goater Dec. 31, 2021, 7:40 a.m. UTC | #2

On 12/29/21 17:57, Fabiano Rosas wrote:
> The next patch will start accessing the excp_vectors array earlier in
> the function, so add a bounds check as first thing here.
> 
> This converts the empty return on POWERPC_EXCP_NONE to an error. This
> exception number never reaches this function and if it does it
> probably means something else went wrong up the line.
> 
> Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>

Reviewed-by: Cédric Le Goater <clg@kaod.org>

Thanks,

C.

> ---
>   target/ppc/excp_helper.c | 7 ++++---
>   1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/target/ppc/excp_helper.c b/target/ppc/excp_helper.c
> index 8b9c6bc5a8..9a03e4b896 100644
> --- a/target/ppc/excp_helper.c
> +++ b/target/ppc/excp_helper.c
> @@ -300,6 +300,10 @@ static inline void powerpc_excp(PowerPCCPU *cpu, int excp_model, int excp)
>       target_ulong msr, new_msr, vector;
>       int srr0, srr1, lev = -1;
>   
> +    if (excp <= POWERPC_EXCP_NONE || excp >= POWERPC_EXCP_NB) {
> +        cpu_abort(cs, "Invalid PowerPC exception %d. Aborting\n", excp);
> +    }
> +
>       qemu_log_mask(CPU_LOG_INT, "Raise exception at " TARGET_FMT_lx
>                     " => %08x (%02x)\n", env->nip, excp, env->error_code);
>   
> @@ -353,9 +357,6 @@ static inline void powerpc_excp(PowerPCCPU *cpu, int excp_model, int excp)
>   #endif
>   
>       switch (excp) {
> -    case POWERPC_EXCP_NONE:
> -        /* Should never happen */
> -        return;
>       case POWERPC_EXCP_CRITICAL:    /* Critical input                         */
>           switch (excp_model) {
>           case POWERPC_EXCP_40x:
>

David Gibson Jan. 1, 2022, 8:29 a.m. UTC | #3

On Wed, Dec 29, 2021 at 01:57:48PM -0300, Fabiano Rosas wrote:
> The next patch will start accessing the excp_vectors array earlier in
> the function, so add a bounds check as first thing here.
> 
> This converts the empty return on POWERPC_EXCP_NONE to an error. This
> exception number never reaches this function and if it does it
> probably means something else went wrong up the line.
> 
> Signed-off-by: Fabiano Rosas <farosas@linux.ibm.com>

Reviewed-by: David Gibson <david@gibson.dropbear.id.au>

> ---
>  target/ppc/excp_helper.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/target/ppc/excp_helper.c b/target/ppc/excp_helper.c
> index 8b9c6bc5a8..9a03e4b896 100644
> --- a/target/ppc/excp_helper.c
> +++ b/target/ppc/excp_helper.c
> @@ -300,6 +300,10 @@ static inline void powerpc_excp(PowerPCCPU *cpu, int excp_model, int excp)
>      target_ulong msr, new_msr, vector;
>      int srr0, srr1, lev = -1;
>  
> +    if (excp <= POWERPC_EXCP_NONE || excp >= POWERPC_EXCP_NB) {
> +        cpu_abort(cs, "Invalid PowerPC exception %d. Aborting\n", excp);
> +    }
> +
>      qemu_log_mask(CPU_LOG_INT, "Raise exception at " TARGET_FMT_lx
>                    " => %08x (%02x)\n", env->nip, excp, env->error_code);
>  
> @@ -353,9 +357,6 @@ static inline void powerpc_excp(PowerPCCPU *cpu, int excp_model, int excp)
>  #endif
>  
>      switch (excp) {
> -    case POWERPC_EXCP_NONE:
> -        /* Should never happen */
> -        return;
>      case POWERPC_EXCP_CRITICAL:    /* Critical input                         */
>          switch (excp_model) {
>          case POWERPC_EXCP_40x:

Patch

diff --git a/target/ppc/excp_helper.c b/target/ppc/excp_helper.c
index 8b9c6bc5a8..9a03e4b896 100644
--- a/target/ppc/excp_helper.c
+++ b/target/ppc/excp_helper.c
@@ -300,6 +300,10 @@  static inline void powerpc_excp(PowerPCCPU *cpu, int excp_model, int excp)
     target_ulong msr, new_msr, vector;
     int srr0, srr1, lev = -1;
 
+    if (excp <= POWERPC_EXCP_NONE || excp >= POWERPC_EXCP_NB) {
+        cpu_abort(cs, "Invalid PowerPC exception %d. Aborting\n", excp);
+    }
+
     qemu_log_mask(CPU_LOG_INT, "Raise exception at " TARGET_FMT_lx
                   " => %08x (%02x)\n", env->nip, excp, env->error_code);
 
@@ -353,9 +357,6 @@  static inline void powerpc_excp(PowerPCCPU *cpu, int excp_model, int excp)
 #endif
 
     switch (excp) {
-    case POWERPC_EXCP_NONE:
-        /* Should never happen */
-        return;
     case POWERPC_EXCP_CRITICAL:    /* Critical input                         */
         switch (excp_model) {
         case POWERPC_EXCP_40x: