[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 1/7] cpu-exec: fix jmp_first out-of-bounds access wi
From: |
Paolo Bonzini |
Subject: |
[Qemu-devel] [PATCH 1/7] cpu-exec: fix jmp_first out-of-bounds access with icount |
Date: |
Sun, 29 Jan 2017 22:09:04 +0100 |
When icount is active, tb_add_jump is surprisingly called with an out of
bounds basic block index. I have no idea how that can work (it overwrites
jmp_first so at least it doesn't cause an immediate segv), but it does
not seem like a good idea. Clear *last_tb for all TB_EXIT_ICOUNT_EXPIRED
cases, even when all you have to do is refill icount_extra.
Cc: address@hidden
Signed-off-by: Paolo Bonzini <address@hidden>
---
cpu-exec.c | 7 ++++---
include/exec/exec-all.h | 1 +
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/cpu-exec.c b/cpu-exec.c
index fa08c73..2dc10c1 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -542,7 +542,7 @@ static inline void cpu_loop_exec_tb(CPUState *cpu,
TranslationBlock *tb,
trace_exec_tb(tb, tb->pc);
ret = cpu_tb_exec(cpu, tb);
- *last_tb = (TranslationBlock *)(ret & ~TB_EXIT_MASK);
+ tb = (TranslationBlock *)(ret & ~TB_EXIT_MASK);
*tb_exit = ret & TB_EXIT_MASK;
switch (*tb_exit) {
case TB_EXIT_REQUESTED:
@@ -566,6 +566,7 @@ static inline void cpu_loop_exec_tb(CPUState *cpu,
TranslationBlock *tb,
abort();
#else
int insns_left = cpu->icount_decr.u32;
+ *last_tb = NULL;
if (cpu->icount_extra && insns_left >= 0) {
/* Refill decrementer and continue execution. */
cpu->icount_extra += insns_left;
@@ -575,17 +576,17 @@ static inline void cpu_loop_exec_tb(CPUState *cpu,
TranslationBlock *tb,
} else {
if (insns_left > 0) {
/* Execute remaining instructions. */
- cpu_exec_nocache(cpu, insns_left, *last_tb, false);
+ cpu_exec_nocache(cpu, insns_left, tb, false);
align_clocks(sc, cpu);
}
cpu->exception_index = EXCP_INTERRUPT;
- *last_tb = NULL;
cpu_loop_exit(cpu);
}
break;
#endif
}
default:
+ *last_tb = tb;
break;
}
}
diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index bbc9478..21ab7bf 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -318,6 +318,7 @@ static inline void tb_set_jmp_target(TranslationBlock *tb,
static inline void tb_add_jump(TranslationBlock *tb, int n,
TranslationBlock *tb_next)
{
+ assert(n < ARRAY_SIZE(tb->jmp_list_next));
if (tb->jmp_list_next[n]) {
/* Another thread has already done this while we were
* outside of the lock; nothing to do in this case */
--
2.9.3
- [Qemu-devel] [RFC/RFT PATCH 0/7] cpu-exec: simplify cpu_exec and remove some icount special cases, Paolo Bonzini, 2017/01/29
- [Qemu-devel] [PATCH 2/7] cpu-exec: tighten barrier on TCG_EXIT_REQUESTED, Paolo Bonzini, 2017/01/29
- [Qemu-devel] [PATCH 1/7] cpu-exec: fix jmp_first out-of-bounds access with icount,
Paolo Bonzini <=
- [Qemu-devel] [PATCH 5/7] cpu-exec: remove outermost infinite loop, Paolo Bonzini, 2017/01/29
- [Qemu-devel] [PATCH 4/7] cpu-exec: avoid repeated sigsetjmp on interrupts, Paolo Bonzini, 2017/01/29
- [Qemu-devel] [PATCH 3/7] cpu-exec: avoid cpu_loop_exit in cpu_handle_interrupt, Paolo Bonzini, 2017/01/29
- [Qemu-devel] [PATCH 6/7] cpu-exec: unify icount_decr and tcg_exit_req, Paolo Bonzini, 2017/01/29
- [Qemu-devel] [PATCH 7/7] cpu-exec: centralize exiting to the main loop, Paolo Bonzini, 2017/01/29
- Re: [Qemu-devel] [RFC/RFT PATCH 0/7] cpu-exec: simplify cpu_exec and remove some icount special cases, no-reply, 2017/01/29
- Re: [Qemu-devel] [RFC/RFT PATCH 0/7] cpu-exec: simplify cpu_exec and remove some icount special cases, Pavel Dovgalyuk, 2017/01/31