From patchwork Thu Feb  5 14:02:50 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Maydell <peter.maydell@linaro.org>
X-Patchwork-Id: 44435
Return-Path: <patchwork-forward+bncBC6Z756YVMIBBCHSZWTAKGQEQ4CVZFA@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-lb0-f197.google.com (mail-lb0-f197.google.com
 [209.85.217.197])
 by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 8AA6D21521
 for <linaro@patches.linaro.org>; Thu,  5 Feb 2015 14:07:05 +0000 (UTC)
Received: by mail-lb0-f197.google.com with SMTP id b6sf5581512lbj.0
 for <linaro@patches.linaro.org>; Thu, 05 Feb 2015 06:07:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:date
 :message-id:in-reply-to:references:subject:precedence:list-id
 :list-unsubscribe:list-archive:list-post:list-help:list-subscribe
 :errors-to:sender:x-original-sender
 :x-original-authentication-results:mailing-list;
 bh=CYUhG8ecghvqcynTZILtuDVPfgk1yKkssfwge31hcV4=;
 b=ZVnCxWf1QPvMOIez9c/sOltBgmGS+GWRdkmbf9T82gd51CixgQnvt0tmQEkAyg5Pca
 TUXQKIf8kQlPolUHEz6/6pppY6J0Cq+ug+H8AnXWznfOuUbfvAM0foLndoupLnV+FOx1
 8MsnS5hXuPcQ8axf4dRAXQLi+XbMEbZ/LZ8RbKvfqOUYL/MhTedQhr8lsz7s3ZzMoB27
 82KtWJM0BN0iCqc93ywibwQ5IkpIn2YbLhn6egyheaQrLlIBqiCrb8bdIy0Fc2hHd3x/
 p/qzJTGPaWz9ZzMgAJBsYetK7W2Ku0D5n0I3cKxoCtPfvieTQiXPhgd/rAO0J5+RYi7I
 t0Aw==
X-Gm-Message-State: ALoCoQlN4hePkfXVui8dtVfjlYuScEluzvn/ArCRlPVvm20xOWNhigesVw4Kx+AjjAcjscqJI5QP
X-Received: by 10.112.35.135 with SMTP id h7mr510898lbj.23.1423145224569;
 Thu, 05 Feb 2015 06:07:04 -0800 (PST)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.37.194 with SMTP id a2ls163866lak.108.gmail; Thu, 05 Feb
 2015 06:07:04 -0800 (PST)
X-Received: by 10.152.28.227 with SMTP id e3mr189111lah.117.1423145224364;
 Thu, 05 Feb 2015 06:07:04 -0800 (PST)
Received: from mail-lb0-f176.google.com (mail-lb0-f176.google.com.
 [209.85.217.176]) by mx.google.com with ESMTPS id
 li1si4000617lab.97.2015.02.05.06.07.04
 for <patchwork-forward@linaro.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 05 Feb 2015 06:07:04 -0800 (PST)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.217.176 as permitted sender) client-ip=209.85.217.176; 
Received: by mail-lb0-f176.google.com with SMTP id w7so3122135lbi.7
 for <patchwork-forward@linaro.org>;
 Thu, 05 Feb 2015 06:07:04 -0800 (PST)
X-Received: by 10.112.40.201 with SMTP id z9mr132021lbk.117.1423145224282;
 Thu, 05 Feb 2015 06:07:04 -0800 (PST)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.35.133 with SMTP id h5csp1161720lbj;
 Thu, 5 Feb 2015 06:07:03 -0800 (PST)
X-Received: by 10.140.85.9 with SMTP id m9mr7936549qgd.7.1423145217517;
 Thu, 05 Feb 2015 06:06:57 -0800 (PST)
Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11])
 by mx.google.com with ESMTPS id r5si6174024qad.68.2015.02.05.06.06.56
 for <patch@linaro.org> (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Thu, 05 Feb 2015 06:06:57 -0800 (PST)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 client-ip=2001:4830:134:3::11; 
Received: from localhost ([::1]:42120 helo=lists.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <qemu-devel-bounces+patch=linaro.org@nongnu.org>)
 id 1YJN56-0006sy-Il
 for patch@linaro.org; Thu, 05 Feb 2015 09:06:56 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:49859)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <pm215@archaic.org.uk>) id 1YJN1f-0001SX-Tq
 for qemu-devel@nongnu.org; Thu, 05 Feb 2015 09:03:24 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <pm215@archaic.org.uk>) id 1YJN1e-0007X2-G5
 for qemu-devel@nongnu.org; Thu, 05 Feb 2015 09:03:23 -0500
Received: from mnementh.archaic.org.uk ([2001:8b0:1d0::1]:54955)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <pm215@archaic.org.uk>) id 1YJN1e-0007RD-9Y
 for qemu-devel@nongnu.org; Thu, 05 Feb 2015 09:03:22 -0500
Received: from pm215 by mnementh.archaic.org.uk with local (Exim 4.80)
 (envelope-from <pm215@archaic.org.uk>) id 1YJN1P-0002zc-Tz
 for qemu-devel@nongnu.org; Thu, 05 Feb 2015 14:03:07 +0000
From: Peter Maydell <peter.maydell@linaro.org>
To: qemu-devel@nongnu.org
Date: Thu,  5 Feb 2015 14:02:50 +0000
Message-Id: <1423144987-11425-12-git-send-email-peter.maydell@linaro.org>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1423144987-11425-1-git-send-email-peter.maydell@linaro.org>
References: <1423144987-11425-1-git-send-email-peter.maydell@linaro.org>
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address
 (bad octet value).
X-Received-From: 2001:8b0:1d0::1
Subject: [Qemu-devel] [PULL 11/28] target-arm: check that LSB <= MSB in BFI
 instruction
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <patchwork-forward.linaro.org>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: peter.maydell@linaro.org
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.217.176 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541

From: Kirill Batuzov <batuzovk@ispras.ru>

The documentation states that if LSB > MSB in BFI instruction behaviour
is unpredictable. Currently QEMU crashes because of assertion failure in
this case:

tcg/tcg-op.h:2061: tcg_gen_deposit_i32: Assertion `len <= 32' failed.

While assertion failure may meet the "unpredictable" definition this
behaviour is undesirable because it allows an unprivileged guest program
to crash the emulator with the OS and other programs.

This patch addresses the issue by throwing illegal instruction exception
if LSB > MSB. Only ARM decoder is affected because Thumb decoder already
has this check in place.

To reproduce issue run the following program

int main(void) {
    asm volatile (".long 0x07c00c12" :: );
    return 0;
}

compiled with
  gcc -marm -static badop_arm.c -o badop_arm

Signed-off-by: Kirill Batuzov <batuzovk@ispras.ru>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target-arm/translate.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target-arm/translate.c b/target-arm/translate.c
index bdfcdf1..2c1c2a7 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -8739,6 +8739,10 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                         ARCH(6T2);
                         shift = (insn >> 7) & 0x1f;
                         i = (insn >> 16) & 0x1f;
+                        if (i < shift) {
+                            /* UNPREDICTABLE; we choose to UNDEF */
+                            goto illegal_op;
+                        }
                         i = i + 1 - shift;
                         if (rm == 15) {
                             tmp = tcg_temp_new_i32();