mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

target/tricore: Add CHECK_REG_PAIR() for insn accessing 64 bit regs

Browse Source 
some insns were not checking if an even index was used to access a 64
bit register. In the worst case that could lead to a buffer overflow as
reported in https://gitlab.com/qemu-project/qemu/-/issues/1698.

Reported-by: Siqi Chen <coc.cyqh@gmail.com>
Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>
Message-Id: <20230612113245.56667-4-kbastian@mail.uni-paderborn.de>
This commit is contained in:
Bastian Koppelmann 2023-06-12 13:32:44 +02:00
parent 5434557ffc
commit 6991777ec4
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
target/tricore/translate.c
View File

@ -309,6 +309,7 @@ static void gen_cmpswap(DisasContext *ctx, int reg, TCGv ea)
{
TCGv temp = tcg_temp_new();
TCGv temp2 = tcg_temp_new();
CHECK_REG_PAIR(reg);
tcg_gen_qemu_ld_tl(temp, ea, ctx->mem_idx, MO_LEUL);
tcg_gen_movcond_tl(TCG_COND_EQ, temp2, cpu_gpr_d[reg+1], temp,
cpu_gpr_d[reg], temp);
@ -321,7 +322,7 @@ static void gen_swapmsk(DisasContext *ctx, int reg, TCGv ea)
TCGv temp = tcg_temp_new();
TCGv temp2 = tcg_temp_new();
TCGv temp3 = tcg_temp_new();
CHECK_REG_PAIR(reg);
tcg_gen_qemu_ld_tl(temp, ea, ctx->mem_idx, MO_LEUL);
tcg_gen_and_tl(temp2, cpu_gpr_d[reg], cpu_gpr_d[reg+1]);
tcg_gen_andc_tl(temp3, temp, cpu_gpr_d[reg+1]);
@ -3219,6 +3220,7 @@ static void decode_src_opc(DisasContext *ctx, int op1)
break;
case OPC1_16_SRC_MOV_E:
if (has_feature(ctx, TRICORE_FEATURE_16)) {
CHECK_REG_PAIR(r1);
tcg_gen_movi_tl(cpu_gpr_d[r1], const4);
tcg_gen_sari_tl(cpu_gpr_d[r1+1], cpu_gpr_d[r1], 31);
} else {
@ -6180,6 +6182,7 @@ static void decode_rr_divide(DisasContext *ctx)
tcg_gen_sari_tl(cpu_gpr_d[r3+1], cpu_gpr_d[r1], 31);
break;
case OPC2_32_RR_DVINIT_U:
CHECK_REG_PAIR(r3);
/* overflow = (D[b] == 0) */
tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_PSW_V, cpu_gpr_d[r2], 0);
tcg_gen_shli_tl(cpu_PSW_V, cpu_PSW_V, 31);
@ -6230,6 +6233,7 @@ static void decode_rr_divide(DisasContext *ctx)
break;
case OPC2_32_RR_DIV:
if (has_feature(ctx, TRICORE_FEATURE_16)) {
CHECK_REG_PAIR(r3);
GEN_HELPER_RR(divide, cpu_gpr_d[r3], cpu_gpr_d[r3+1], cpu_gpr_d[r1],
cpu_gpr_d[r2]);
} else {
@ -6238,6 +6242,7 @@ static void decode_rr_divide(DisasContext *ctx)
break;
case OPC2_32_RR_DIV_U:
if (has_feature(ctx, TRICORE_FEATURE_16)) {
CHECK_REG_PAIR(r3);
GEN_HELPER_RR(divide_u, cpu_gpr_d[r3], cpu_gpr_d[r3+1],
cpu_gpr_d[r1], cpu_gpr_d[r2]);
} else {
@ -6764,6 +6769,8 @@ static void decode_rrr2_msub(DisasContext *ctx)
cpu_gpr_d[r3], cpu_gpr_d[r3+1], cpu_gpr_d[r2]);
break;
case OPC2_32_RRR2_MSUB_U_64:
CHECK_REG_PAIR(r4);
CHECK_REG_PAIR(r3);
gen_msubu64_d(cpu_gpr_d[r4], cpu_gpr_d[r4+1], cpu_gpr_d[r1],
cpu_gpr_d[r3], cpu_gpr_d[r3+1], cpu_gpr_d[r2]);
break;
@ -7847,7 +7854,7 @@ static void decode_rrrw_extract_insert(DisasContext *ctx)
break;
case OPC2_32_RRRW_IMASK:
temp2 = tcg_temp_new();
CHECK_REG_PAIR(r4);
tcg_gen_andi_tl(temp, cpu_gpr_d[r3], 0x1f);
tcg_gen_movi_tl(temp2, (1 << width) - 1);
tcg_gen_shl_tl(temp2, temp2, temp);