From patchwork Mon Jun 12 11:32:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastian Koppelmann X-Patchwork-Id: 13276381 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 921EFC7EE23 for ; Mon, 12 Jun 2023 11:34:09 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1q8fo8-0000QM-QF; Mon, 12 Jun 2023 07:34:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q8fo7-0000QA-Jg for qemu-devel@nongnu.org; Mon, 12 Jun 2023 07:33:59 -0400 Received: from hoth.uni-paderborn.de ([2001:638:502:c003::19]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1q8fo5-0006s8-T1 for qemu-devel@nongnu.org; Mon, 12 Jun 2023 07:33:59 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mail.uni-paderborn.de; s=20170601; h=Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=GEvRYU1CuroKRaAfeXOGUElYYVyWSGJQz9WSKG0SJ2s=; b=YOYg834bcyGEbcYg3bEkvg/TLj rfBAu/cdqEg/K3xn72JcJwvtBQtuidn/F8Yeun6mXsQ7Yu5R+9/Z0LWwqYLsZLl5x6Sbfni9NlTTE djSTrSK7g3kMNnYCFuH1pGaEXfmw7peGleTL1XW9sw4JY/zl4WX7ayByJ2TDs1bsjCmw=; X-Envelope-From: From: Bastian Koppelmann To: qemu-devel@nongnu.org Cc: kbastian@mail.uni-paderborn.de, Siqi Chen Subject: [PATCH 3/4] target/tricore: Add CHECK_REG_PAIR() for insn accessing 64 bit regs Date: Mon, 12 Jun 2023 13:32:44 +0200 Message-Id: <20230612113245.56667-4-kbastian@mail.uni-paderborn.de> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230612113245.56667-1-kbastian@mail.uni-paderborn.de> References: <20230612113245.56667-1-kbastian@mail.uni-paderborn.de> MIME-Version: 1.0 X-PMX-Version: 6.4.9.2830568, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2023.6.12.112716, AntiVirus-Engine: 6.0.0, AntiVirus-Data: 2023.6.6.600001 X-Sophos-SenderHistory: ip=79.202.219.6, fs=414527, da=174178700, mc=49, sc=0, hc=49, sp=0, fso=414527, re=0, sd=0, hd=0 X-IMT-Source: Intern X-IMT-Spam-Score: 0.0 () X-IMT-Authenticated-Sender: uid=kbastian,ou=People,o=upb,c=de Received-SPF: pass client-ip=2001:638:502:c003::19; envelope-from=kbastian@mail.uni-paderborn.de; helo=hoth.uni-paderborn.de X-Spam_score_int: -19 X-Spam_score: -2.0 X-Spam_bar: -- X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org some insns were not checking if an even index was used to access a 64 bit register. In the worst case that could lead to a buffer overflow as reported in https://gitlab.com/qemu-project/qemu/-/issues/1698. Reported-by: Siqi Chen Signed-off-by: Bastian Koppelmann --- target/tricore/translate.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/target/tricore/translate.c b/target/tricore/translate.c index 3b8d3f53ee..2a947e9bd5 100644 --- a/target/tricore/translate.c +++ b/target/tricore/translate.c @@ -309,6 +309,7 @@ static void gen_cmpswap(DisasContext *ctx, int reg, TCGv ea) { TCGv temp = tcg_temp_new(); TCGv temp2 = tcg_temp_new(); + CHECK_REG_PAIR(reg); tcg_gen_qemu_ld_tl(temp, ea, ctx->mem_idx, MO_LEUL); tcg_gen_movcond_tl(TCG_COND_EQ, temp2, cpu_gpr_d[reg+1], temp, cpu_gpr_d[reg], temp); @@ -321,7 +322,7 @@ static void gen_swapmsk(DisasContext *ctx, int reg, TCGv ea) TCGv temp = tcg_temp_new(); TCGv temp2 = tcg_temp_new(); TCGv temp3 = tcg_temp_new(); - + CHECK_REG_PAIR(reg); tcg_gen_qemu_ld_tl(temp, ea, ctx->mem_idx, MO_LEUL); tcg_gen_and_tl(temp2, cpu_gpr_d[reg], cpu_gpr_d[reg+1]); tcg_gen_andc_tl(temp3, temp, cpu_gpr_d[reg+1]); @@ -3219,6 +3220,7 @@ static void decode_src_opc(DisasContext *ctx, int op1) break; case OPC1_16_SRC_MOV_E: if (has_feature(ctx, TRICORE_FEATURE_16)) { + CHECK_REG_PAIR(r1); tcg_gen_movi_tl(cpu_gpr_d[r1], const4); tcg_gen_sari_tl(cpu_gpr_d[r1+1], cpu_gpr_d[r1], 31); } else { @@ -6172,6 +6174,7 @@ static void decode_rr_divide(DisasContext *ctx) tcg_gen_sari_tl(cpu_gpr_d[r3+1], cpu_gpr_d[r1], 31); break; case OPC2_32_RR_DVINIT_U: + CHECK_REG_PAIR(r3); /* overflow = (D[b] == 0) */ tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_PSW_V, cpu_gpr_d[r2], 0); tcg_gen_shli_tl(cpu_PSW_V, cpu_PSW_V, 31); @@ -6200,6 +6203,7 @@ static void decode_rr_divide(DisasContext *ctx) break; case OPC2_32_RR_DIV: if (has_feature(ctx, TRICORE_FEATURE_16)) { + CHECK_REG_PAIR(r3); GEN_HELPER_RR(divide, cpu_gpr_d[r3], cpu_gpr_d[r3+1], cpu_gpr_d[r1], cpu_gpr_d[r2]); } else { @@ -6208,6 +6212,7 @@ static void decode_rr_divide(DisasContext *ctx) break; case OPC2_32_RR_DIV_U: if (has_feature(ctx, TRICORE_FEATURE_16)) { + CHECK_REG_PAIR(r3); GEN_HELPER_RR(divide_u, cpu_gpr_d[r3], cpu_gpr_d[r3+1], cpu_gpr_d[r1], cpu_gpr_d[r2]); } else { @@ -6734,6 +6739,8 @@ static void decode_rrr2_msub(DisasContext *ctx) cpu_gpr_d[r3], cpu_gpr_d[r3+1], cpu_gpr_d[r2]); break; case OPC2_32_RRR2_MSUB_U_64: + CHECK_REG_PAIR(r4); + CHECK_REG_PAIR(r3); gen_msubu64_d(cpu_gpr_d[r4], cpu_gpr_d[r4+1], cpu_gpr_d[r1], cpu_gpr_d[r3], cpu_gpr_d[r3+1], cpu_gpr_d[r2]); break; @@ -7817,7 +7824,7 @@ static void decode_rrrw_extract_insert(DisasContext *ctx) break; case OPC2_32_RRRW_IMASK: temp2 = tcg_temp_new(); - + CHECK_REG_PAIR(r4); tcg_gen_andi_tl(temp, cpu_gpr_d[r3], 0x1f); tcg_gen_movi_tl(temp2, (1 << width) - 1); tcg_gen_shl_tl(temp2, temp2, temp);