[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 11/25] target/mips: tcg: detect out-of-bounds accesses to cpu_gpr
From: |
Paolo Bonzini |
Subject: |
[PULL 11/25] target/mips: tcg: detect out-of-bounds accesses to cpu_gpr and cpu_gpr_hi |
Date: |
Fri, 21 Apr 2023 11:33:02 +0200 |
In some cases (for example gen_compute_branch_nm in
nanomips_translate.c.inc) registers can be unused
on some paths and a negative value is passed in that case:
gen_compute_branch_nm(ctx, OPC_BPOSGE32, 4, -1, -2,
imm << 1);
To avoid an out of bounds access in those cases, introduce
assertions.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target/mips/tcg/translate.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
index 1fb4ef712729..999fbb7cc1c0 100644
--- a/target/mips/tcg/translate.c
+++ b/target/mips/tcg/translate.c
@@ -1223,6 +1223,7 @@ static const char regnames_LO[][4] = {
/* General purpose registers moves. */
void gen_load_gpr(TCGv t, int reg)
{
+ assert(reg >= 0 && reg <= ARRAY_SIZE(cpu_gpr));
if (reg == 0) {
tcg_gen_movi_tl(t, 0);
} else {
@@ -1232,6 +1233,7 @@ void gen_load_gpr(TCGv t, int reg)
void gen_store_gpr(TCGv t, int reg)
{
+ assert(reg >= 0 && reg <= ARRAY_SIZE(cpu_gpr));
if (reg != 0) {
tcg_gen_mov_tl(cpu_gpr[reg], t);
}
@@ -1240,6 +1242,7 @@ void gen_store_gpr(TCGv t, int reg)
#if defined(TARGET_MIPS64)
void gen_load_gpr_hi(TCGv_i64 t, int reg)
{
+ assert(reg >= 0 && reg <= ARRAY_SIZE(cpu_gpr_hi));
if (reg == 0) {
tcg_gen_movi_i64(t, 0);
} else {
@@ -1249,6 +1252,7 @@ void gen_load_gpr_hi(TCGv_i64 t, int reg)
void gen_store_gpr_hi(TCGv_i64 t, int reg)
{
+ assert(reg >= 0 && reg <= ARRAY_SIZE(cpu_gpr_hi));
if (reg != 0) {
tcg_gen_mov_i64(cpu_gpr_hi[reg], t);
}
--
2.40.0
- [PULL 00/25] First batch of misc patches for QEMU 8.1, Paolo Bonzini, 2023/04/21
- [PULL 01/25] mtest2make.py: teach suite name that are just "PROJECT", Paolo Bonzini, 2023/04/21
- [PULL 02/25] build-sys: prevent meson from downloading wrapped subprojects, Paolo Bonzini, 2023/04/21
- [PULL 03/25] build-sys: add slirp.wrap, Paolo Bonzini, 2023/04/21
- [PULL 05/25] vnc: avoid underflow when accessing user-provided address, Paolo Bonzini, 2023/04/21
- [PULL 04/25] nvme: remove constant argument to tracepoint, Paolo Bonzini, 2023/04/21
- [PULL 06/25] tests: bios-tables-test: replace memset with initializer, Paolo Bonzini, 2023/04/21
- [PULL 07/25] configure: Avoid -Werror=maybe-uninitialized, Paolo Bonzini, 2023/04/21
- [PULL 09/25] lasi: fix RTC migration, Paolo Bonzini, 2023/04/21
- [PULL 08/25] target/i386: Avoid unreachable variable declaration in mmu_translate(), Paolo Bonzini, 2023/04/21
- [PULL 11/25] target/mips: tcg: detect out-of-bounds accesses to cpu_gpr and cpu_gpr_hi,
Paolo Bonzini <=
- [PULL 10/25] coverity: update COMPONENTS.md, Paolo Bonzini, 2023/04/21
- [PULL 13/25] io: mark mixed functions that can suspend, Paolo Bonzini, 2023/04/21
- [PULL 12/25] qapi-gen: mark coroutine QMP command functions as coroutine_fn, Paolo Bonzini, 2023/04/21
- [PULL 18/25] postcopy-ram: do not use qatomic_mb_read, Paolo Bonzini, 2023/04/21
- [PULL 14/25] migration: mark mixed functions that can suspend, Paolo Bonzini, 2023/04/21
- [PULL 15/25] monitor: mark mixed functions that can suspend, Paolo Bonzini, 2023/04/21
- [PULL 16/25] target/i386: Change wrong XFRM value in SGX CPUID leaf, Paolo Bonzini, 2023/04/21
- [PULL 17/25] block-backend: remove qatomic_mb_read(), Paolo Bonzini, 2023/04/21
- [PULL 20/25] docs: explain effect of smp_read_barrier_depends() on modern architectures, Paolo Bonzini, 2023/04/21
- [PULL 21/25] nbd: a BlockExport always has a BlockBackend, Paolo Bonzini, 2023/04/21