From patchwork Thu Jul 30 11:32:25 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Roth <mdroth@linux.vnet.ibm.com>
X-Patchwork-Id: 51694
Return-Path: <patchwork-forward+bncBCX5ZQEZUQNBBOUY5CWQKGQEF6UKBAQ@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-la0-f72.google.com (mail-la0-f72.google.com
 [209.85.215.72])
 by patches.linaro.org (Postfix) with ESMTPS id A097A22DB5
 for <linaro@patches.linaro.org>; Thu, 30 Jul 2015 11:36:28 +0000 (UTC)
Received: by lahh5 with SMTP id h5sf11490390lah.0
 for <linaro@patches.linaro.org>; Thu, 30 Jul 2015 04:36:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:delivered-to:from:to:date
 :message-id:in-reply-to:references:cc:subject:precedence:list-id
 :list-unsubscribe:list-archive:list-post:list-help:list-subscribe
 :errors-to:sender:x-original-sender
 :x-original-authentication-results:mailing-list;
 bh=otYtF7sJQPh5qb+gLSg0HtcdaqBbRHGOeThAqeeGruM=;
 b=NiYVnH4ggGat1+1PS/K60q//lZm8m87o8DF9M4SPhs55wCnZfYaL8JeBSm5BLIhYBQ
 K1mi8v8F+5LJZJECEEbs6TA4pXdwVWtHyrRbqU26ir720ybYIuyaKyDjKMgU9U4aHQPs
 /MJm3UG5wkk9sJOBYzenSfUBoD7+JY4Ee2/Mdl0k8bXi2Q4xEIRoFOR+KGsLy3mJFPzM
 fwHKfHdf7U3RnkGGJNWJixhR9jXKP409uHgMT7CClA0lOOWbIYzE1JoyPo3MWXiT4oUH
 bNkTxgcwqO0Z1UK26Sk5rcERGvc7wqXzFuf1HNnIHKWDYunHuoWkQASTnBfrXchK0p/M
 /jCg==
X-Gm-Message-State: ALoCoQmYhpHNERWO8XnIygScqdDV7g8Ql1/pMG0vQOsp0lhDWJvmxkBENgU/WAU6lnaU4imtLV9I
X-Received: by 10.194.179.42 with SMTP id dd10mr17653793wjc.7.1438256187558; 
 Thu, 30 Jul 2015 04:36:27 -0700 (PDT)
MIME-Version: 1.0
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.203.166 with SMTP id kr6ls151186lac.32.gmail; Thu, 30 Jul
 2015 04:36:25 -0700 (PDT)
X-Received: by 10.112.190.10 with SMTP id gm10mr42779689lbc.2.1438256185530; 
 Thu, 30 Jul 2015 04:36:25 -0700 (PDT)
Received: from mail-la0-f44.google.com (mail-la0-f44.google.com.
 [209.85.215.44])
 by mx.google.com with ESMTPS id k7si613946lbj.50.2015.07.30.04.36.25
 for <patchwork-forward@linaro.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 30 Jul 2015 04:36:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.44 as permitted sender) client-ip=209.85.215.44; 
Received: by laah7 with SMTP id h7so23180030laa.0
 for <patchwork-forward@linaro.org>;
 Thu, 30 Jul 2015 04:36:25 -0700 (PDT)
X-Received: by 10.152.37.228 with SMTP id b4mr43562543lak.117.1438256185310; 
 Thu, 30 Jul 2015 04:36:25 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.7.198 with SMTP id l6csp537278lba;
 Thu, 30 Jul 2015 04:36:24 -0700 (PDT)
X-Received: by 10.194.120.230 with SMTP id lf6mr95572362wjb.41.1438256184244; 
 Thu, 30 Jul 2015 04:36:24 -0700 (PDT)
Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11])
 by mx.google.com with ESMTPS id
 fq16si1324572wjc.124.2015.07.30.04.36.23 for <patch@linaro.org>
 (version=TLSv1 cipher=RC4-SHA bits=128/128);
 Thu, 30 Jul 2015 04:36:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 qemu-devel-bounces+patch=linaro.org@nongnu.org designates
 2001:4830:134:3::11 as permitted sender)
 client-ip=2001:4830:134:3::11; 
Received: from localhost ([::1]:39081 helo=lists.gnu.org)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <qemu-devel-bounces+patch=linaro.org@nongnu.org>)
 id 1ZKm8M-0006LN-SO
 for patch@linaro.org; Thu, 30 Jul 2015 07:36:22 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:47966)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mdroth@linux.vnet.ibm.com>) id 1ZKm6x-00050f-8a
 for qemu-devel@nongnu.org; Thu, 30 Jul 2015 07:34:56 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <mdroth@linux.vnet.ibm.com>) id 1ZKm6u-0001eW-2O
 for qemu-devel@nongnu.org; Thu, 30 Jul 2015 07:34:55 -0400
Received: from e31.co.us.ibm.com ([32.97.110.149]:34606)
 by eggs.gnu.org with esmtp (Exim 4.71)
 (envelope-from <mdroth@linux.vnet.ibm.com>) id 1ZKm6t-0001dV-SH
 for qemu-devel@nongnu.org; Thu, 30 Jul 2015 07:34:52 -0400
Received: from /spool/local
 by e31.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use
 Only! Violators will be prosecuted
 for <qemu-devel@nongnu.org> from <mdroth@linux.vnet.ibm.com>;
 Thu, 30 Jul 2015 05:34:51 -0600
Received: from d03dlp01.boulder.ibm.com (9.17.202.177)
 by e31.co.us.ibm.com (192.168.1.131) with IBM ESMTP SMTP Gateway:
 Authorized Use Only! Violators will be prosecuted; 
 Thu, 30 Jul 2015 05:34:48 -0600
X-Helo: d03dlp01.boulder.ibm.com
X-MailFrom: mdroth@linux.vnet.ibm.com
X-RcptTo: qemu-stable@nongnu.org
Received: from b03cxnp07029.gho.boulder.ibm.com
 (b03cxnp07029.gho.boulder.ibm.com [9.17.130.16])
 by d03dlp01.boulder.ibm.com (Postfix) with ESMTP id 4D95A1FF0041;
 Thu, 30 Jul 2015 05:25:58 -0600 (MDT)
Received: from d03av03.boulder.ibm.com (d03av03.boulder.ibm.com [9.17.195.169])
 by b03cxnp07029.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with
 ESMTP id t6UBYmQt53412030; Thu, 30 Jul 2015 04:34:48 -0700
Received: from d03av03.boulder.ibm.com (localhost [127.0.0.1])
 by d03av03.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP
 id t6UBYl6Q006524; Thu, 30 Jul 2015 05:34:48 -0600
Received: from localhost ([9.80.93.218])
 by d03av03.boulder.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP
 id t6UBYgTb006284; Thu, 30 Jul 2015 05:34:47 -0600
From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: qemu-devel@nongnu.org
Date: Thu, 30 Jul 2015 06:32:25 -0500
Message-Id: <1438255988-10418-11-git-send-email-mdroth@linux.vnet.ibm.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1438255988-10418-1-git-send-email-mdroth@linux.vnet.ibm.com>
References: <1438255988-10418-1-git-send-email-mdroth@linux.vnet.ibm.com>
X-TM-AS-MML: disable
X-Content-Scanned: Fidelis XPS MAILER
x-cbid: 15073011-8236-0000-0000-00000D97C06D
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 32.97.110.149
Cc: Peter Maydell <peter.maydell@linaro.org>, qemu-stable@nongnu.org
Subject: [Qemu-devel] [PATCH 10/53] target-arm: Avoid buffer overrun on
 UNPREDICTABLE ldrd/strd
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <patchwork-forward.linaro.org>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org
Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: mdroth@linux.vnet.ibm.com
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.44 as permitted sender)
 smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541

From: Peter Maydell <peter.maydell@linaro.org>

A LDRD or STRD where rd is not an even number is UNPREDICTABLE.
We were letting this fall through, which is OK unless rd is 15,
in which case we would attempt to do a load_reg or store_reg
to a nonexistent r16 for the second half of the double-word.
Catch the odd-numbered-rd cases and UNDEF them instead.

To do this we rearrange the structure of the code a little
so we can put the UNDEF catches at the top before we've
allocated TCG temporaries.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 1431348973-21315-1-git-send-email-peter.maydell@linaro.org
(cherry picked from commit 3960c336ad96c2183549c8bf32bbff93ecda7ea4)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
---
 target-arm/translate.c | 56 ++++++++++++++++++++++++++++----------------------
 1 file changed, 32 insertions(+), 24 deletions(-)

diff --git a/target-arm/translate.c b/target-arm/translate.c
index 9116529..f8f72be 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -8423,34 +8423,30 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                 }
             } else {
                 int address_offset;
-                int load;
+                bool load = insn & (1 << 20);
+                bool doubleword = false;
                 /* Misc load/store */
                 rn = (insn >> 16) & 0xf;
                 rd = (insn >> 12) & 0xf;
+
+                if (!load && (sh & 2)) {
+                    /* doubleword */
+                    ARCH(5TE);
+                    if (rd & 1) {
+                        /* UNPREDICTABLE; we choose to UNDEF */
+                        goto illegal_op;
+                    }
+                    load = (sh & 1) == 0;
+                    doubleword = true;
+                }
+
                 addr = load_reg(s, rn);
                 if (insn & (1 << 24))
                     gen_add_datah_offset(s, insn, 0, addr);
                 address_offset = 0;
-                if (insn & (1 << 20)) {
-                    /* load */
-                    tmp = tcg_temp_new_i32();
-                    switch(sh) {
-                    case 1:
-                        gen_aa32_ld16u(tmp, addr, get_mem_index(s));
-                        break;
-                    case 2:
-                        gen_aa32_ld8s(tmp, addr, get_mem_index(s));
-                        break;
-                    default:
-                    case 3:
-                        gen_aa32_ld16s(tmp, addr, get_mem_index(s));
-                        break;
-                    }
-                    load = 1;
-                } else if (sh & 2) {
-                    ARCH(5TE);
-                    /* doubleword */
-                    if (sh & 1) {
+
+                if (doubleword) {
+                    if (!load) {
                         /* store */
                         tmp = load_reg(s, rd);
                         gen_aa32_st32(tmp, addr, get_mem_index(s));
@@ -8459,7 +8455,6 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                         tmp = load_reg(s, rd + 1);
                         gen_aa32_st32(tmp, addr, get_mem_index(s));
                         tcg_temp_free_i32(tmp);
-                        load = 0;
                     } else {
                         /* load */
                         tmp = tcg_temp_new_i32();
@@ -8469,15 +8464,28 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                         tmp = tcg_temp_new_i32();
                         gen_aa32_ld32u(tmp, addr, get_mem_index(s));
                         rd++;
-                        load = 1;
                     }
                     address_offset = -4;
+                } else if (load) {
+                    /* load */
+                    tmp = tcg_temp_new_i32();
+                    switch (sh) {
+                    case 1:
+                        gen_aa32_ld16u(tmp, addr, get_mem_index(s));
+                        break;
+                    case 2:
+                        gen_aa32_ld8s(tmp, addr, get_mem_index(s));
+                        break;
+                    default:
+                    case 3:
+                        gen_aa32_ld16s(tmp, addr, get_mem_index(s));
+                        break;
+                    }
                 } else {
                     /* store */
                     tmp = load_reg(s, rd);
                     gen_aa32_st16(tmp, addr, get_mem_index(s));
                     tcg_temp_free_i32(tmp);
-                    load = 0;
                 }
                 /* Perform base writeback before the loaded value to
                    ensure correct behavior with overlapping index registers.