Fix a potential Use-after-free bug in handle_simd_shift_fpint_conv() (v6.2.0).

Commit Message

wliang@stu.xidian.edu.cn Feb. 23, 2022, 2:33 p.m. UTC

Hi all,

I find a potential Use-after-free bug in QEMU 6.2.0, which is in handle_simd_shift_fpint_conv()(./target/arm/translate-a64.c).

At line 9048, a variable 'tcg_fpstatus' is freed by invoking tcg_temp_free_ptr(). However, at line 9050, the variable 'tcg_fpstatus' is subsequently use as the 3rd parameter of the function gen_helper_set_rmode. This may result in a use-after-free bug.


9048    tcg_temp_free_ptr(tcg_fpstatus);
9049    tcg_temp_free_i32(tcg_shift);
9050    gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);


I believe the bug can be fixed by invoking the gen_helper_set_rmode() before 'tcg_fpstatus' being freed by the tcg_temp_free_ptr().


 ---    tcg_temp_free_ptr(tcg_fpstatus);
9049    tcg_temp_free_i32(tcg_shift);
9050    gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
 +++    tcg_temp_free_ptr(tcg_fpstatus);
 
I'm looking forward to your confirmation.


Best,

Wentao

Comments

Richard Henderson Feb. 23, 2022, 7:13 p.m. UTC | #1

On 2/23/22 04:33, wliang@stu.xidian.edu.cn wrote:
> 
> Hi all,
> 
> I find a potential Use-after-free bug in QEMU 6.2.0, which is in 
> handle_simd_shift_fpint_conv()(./target/arm/translate-a64.c).
> 
> At line 9048, a variable 'tcg_fpstatus' is freed by invoking tcg_temp_free_ptr(). However, 
> at line 9050, the variable 'tcg_fpstatus' is subsequently use as the 3rd parameter of the 
> function gen_helper_set_rmode. This may result in a use-after-free bug.
> 
> 
> 9048    tcg_temp_free_ptr(tcg_fpstatus);
> 9049    tcg_temp_free_i32(tcg_shift);
> 9050    gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
> 
> 
> I believe the bug can be fixed by invoking the gen_helper_set_rmode() before 
> 'tcg_fpstatus' being freed by the tcg_temp_free_ptr().
> 
> 
>   ---    tcg_temp_free_ptr(tcg_fpstatus);
> 9049    tcg_temp_free_i32(tcg_shift);
> 9050    gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
>   +++    tcg_temp_free_ptr(tcg_fpstatus);
> 
> I'm looking forward to your confirmation.

The fix is correct.  We just need the submission formatted properly, with your 
Signed-off-by tag.  When re-formatting, you can add my

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>


r~

wliang@stu.xidian.edu.cn Feb. 25, 2022, 4:05 a.m. UTC | #2

> 
> The fix is correct.  We just need the submission formatted properly, with your 
> Signed-off-by tag.  When re-formatting, you can add my
> 
> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
> 

> r~

Hi guys,

Thank you for waiting for me.

Here is a new patch with Signed-off-by tags.

Best,
Wentao

Peter Maydell Feb. 25, 2022, 11:41 a.m. UTC | #3

On Fri, 25 Feb 2022 at 04:05, <wliang@stu.xidian.edu.cn> wrote:
>
>
> >
> > The fix is correct.  We just need the submission formatted properly, with your
> > Signed-off-by tag.  When re-formatting, you can add my
> >
> > Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
> >
>
> > r~
>
> Hi guys,
>
> Thank you for waiting for me.
>
> Here is a new patch with Signed-off-by tags.

Thanks; I've applied this patch to target-arm.next (with some cleanup
of the commit message).

PS: the subject line suggests you're creating patches against the 6.2.0
release. For submitting patches to us, please always make them against
the current head-of-git, not against an old release version. (As it
happens, this patch is fine anyway, as the code in question hadn't
changed.)

thanks
-- PMM

Patch

--- ./target/arm/translate-a64.c	2022-02-23 15:06:32.212756633 +0800
+++ ./target/arm/translate-a64-PATCH.c	2022-02-23 21:13:15.604128138 +0800
@@ -9045,9 +9045,9 @@ 
         }
     }
 
-    tcg_temp_free_ptr(tcg_fpstatus);
     tcg_temp_free_i32(tcg_shift);
     gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
+    tcg_temp_free_ptr(tcg_fpstatus);
     tcg_temp_free_i32(tcg_rmode);
 }