From patchwork Wed Feb 23 14:33:27 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: wliang@stu.xidian.edu.cn
X-Patchwork-Id: 12757130
Return-Path: <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id D0D20C433EF
	for <qemu-devel@archiver.kernel.org>; Wed, 23 Feb 2022 15:50:43 +0000 (UTC)
Received: from localhost ([::1]:43200 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from
 <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>)
	id 1nMtuc-0007Vq-NB
	for qemu-devel@archiver.kernel.org; Wed, 23 Feb 2022 10:50:42 -0500
Received: from eggs.gnu.org ([209.51.188.92]:53484)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <wliang@stu.xidian.edu.cn>)
 id 1nMsi6-0000pq-LA
 for qemu-devel@nongnu.org; Wed, 23 Feb 2022 09:33:42 -0500
Received: from zg8tmtyylji0my4xnjeumjiw.icoremail.net
 ([162.243.161.220]:56249)
 by eggs.gnu.org with smtp (Exim 4.90_1)
 (envelope-from <wliang@stu.xidian.edu.cn>) id 1nMsi3-0005XB-Lw
 for qemu-devel@nongnu.org; Wed, 23 Feb 2022 09:33:41 -0500
Received: by ajax-webmail-sr0414.icoremail.net (Coremail) ; Wed, 23 Feb 2022
 22:33:27 +0800 (GMT+08:00)
X-Originating-IP: [39.130.79.173]
Date: Wed, 23 Feb 2022 22:33:27 +0800 (GMT+08:00)
X-CM-HeaderCharset: UTF-8
From: wliang@stu.xidian.edu.cn
To: qemu-devel@nongnu.org
Subject: Fix a potential Use-after-free bug in
 handle_simd_shift_fpint_conv() (v6.2.0).
X-Priority: 3
X-Mailer: Coremail Webmail Server Version XT5.0.13 build 20210401(fdb522e2)
 Copyright (c) 2002-2022 www.mailtech.cn
 mispb-ac60dc67-ddbe-4478-9127-1d3314495f10-icoremail.net
MIME-Version: 1.0
Message-ID: <5ec4ffe1.25b2.17f27005362.Coremail.wliang@stu.xidian.edu.cn>
X-Coremail-Locale: zh_CN
X-CM-TRANSID: AQAAfwDHvwa3RRZi578KAA--.4104W
X-CM-SenderInfo: pzolt0vj6v33wo0lvxldqovvfxof0/1tbiAQMMA1wR-vU9jgAAs4
X-Coremail-Antispam: 1Ur529EdanIXcx71UUUUU7IcSsGvfJ3iIAIbVAYjsxI4VWxJw
 CS07vEb4IE77IF4wCS07vE1I0E4x80FVAKz4kxMIAIbVAFxVCaYxvI4VCIwcAKzIAtYxBI
 daVFxhVjvjDU=
Received-SPF: pass client-ip=162.243.161.220;
 envelope-from=wliang@stu.xidian.edu.cn;
 helo=zg8tmtyylji0my4xnjeumjiw.icoremail.net
X-Spam_score_int: -25
X-Spam_score: -2.6
X-Spam_bar: --
X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, HTML_MESSAGE=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Mailman-Approved-At: Wed, 23 Feb 2022 10:48:06 -0500
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org
Sender: "Qemu-devel"
 <qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org>

Hi all,

I find a potential Use-after-free bug in QEMU 6.2.0, which is in handle_simd_shift_fpint_conv()(./target/arm/translate-a64.c).

At line 9048, a variable 'tcg_fpstatus' is freed by invoking tcg_temp_free_ptr(). However, at line 9050, the variable 'tcg_fpstatus' is subsequently use as the 3rd parameter of the function gen_helper_set_rmode. This may result in a use-after-free bug.


9048    tcg_temp_free_ptr(tcg_fpstatus);
9049    tcg_temp_free_i32(tcg_shift);
9050    gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);


I believe the bug can be fixed by invoking the gen_helper_set_rmode() before 'tcg_fpstatus' being freed by the tcg_temp_free_ptr().


 ---    tcg_temp_free_ptr(tcg_fpstatus);
9049    tcg_temp_free_i32(tcg_shift);
9050    gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
 +++    tcg_temp_free_ptr(tcg_fpstatus);
 
I'm looking forward to your confirmation.


Best,

Wentao
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

--- ./target/arm/translate-a64.c	2022-02-23 15:06:32.212756633 +0800
+++ ./target/arm/translate-a64-PATCH.c	2022-02-23 21:13:15.604128138 +0800
@@ -9045,9 +9045,9 @@
         }
     }
 
-    tcg_temp_free_ptr(tcg_fpstatus);
     tcg_temp_free_i32(tcg_shift);
     gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
+    tcg_temp_free_ptr(tcg_fpstatus);
     tcg_temp_free_i32(tcg_rmode);
 }