From patchwork Mon Mar 22 13:59:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= X-Patchwork-Id: 406153 Delivered-To: patch@linaro.org Received: by 2002:a02:8562:0:0:0:0:0 with SMTP id g89csp3593063jai; Mon, 22 Mar 2021 07:00:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxVsQhb1F9yzxjLd7fmQEspY9spoRPlxpbJ3/af0AdkS3MvuyGVPG74zj9zROD68p+QEQ2x X-Received: by 2002:a2e:300d:: with SMTP id w13mr10187139ljw.199.1616421655529; Mon, 22 Mar 2021 07:00:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616421655; cv=none; d=google.com; s=arc-20160816; b=m3y8HsRXjag+Yhrk9w7YERWpui5G9lp4+M5qitR7OpnBauuqd0VaAB7SjVd8B3Jlte lRYq7cCusSWoDnlE7DqZ2zbtf/dNuGqtfPmVwC2y47k082Ln8lEcGPsrAyJUJydHJJ82 RdeciWq1Z+QqQhn3bBPQ+7THQ+IhBZh7AubJmiL1dT9v/RB7s9uJYMnba4VbsBXSQ41B 34MdUtYZFIN04EE4Z7Za1kuSn7u0udyv9pUfiQEOW8di+LJpIQGfr7NM3L4fdyOp7Ox0 zZr/ITHjLuSuMHCqEOEhjSX+Dpkv0FXZB7q/4WOm7vhWG8W1htmjAMiUePsP8JQR2Xez q+5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:errors-to:sender:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:cc :mime-version:references:in-reply-to:message-id:date:subject:to:from :delivered-to; bh=QqnRDcqbG8JtPoVsmIsAnMFqlbytcIG4xMZDFP2Crww=; b=zofgINw0P6RaSXQiTIprSuHR4MciDrAvAUEd+8S77K8LF38+EHWuf42N/PUtWVX+MO 9bRzgims7iGfkrfi7T0PmgL1Zh3YPnUD8oPEnj4feUoRv5ct7wm0K6IA5ejXYaT5YSEU QCWh1OTZxpUfdJxnl1bdzkWuPBzM7kS4ig4IDEeEVI9/BvSeuwfyXabnHrm4TrkwdPEG QUB/VsuJWA0HSzFiTlnaXWNEJNhuwjga+TK9ug2+CgcDtkavWrcfC2BQG1D+eqJno1Xb NSEASxZm00unjNFwDFOb6LP23kDG70N1JgVlSI8ZHXpm8iZwLmSbNmSYlAE52svos/+v zHCw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=amsat.org Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com. [63.128.21.124]) by mx.google.com with ESMTPS id f10si12680592lja.156.2021.03.22.07.00.54 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Mar 2021 07:00:55 -0700 (PDT) Received-SPF: pass (google.com: domain of libvir-list-bounces@redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; Authentication-Results: mx.google.com; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=amsat.org Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-360-wRgF-PeTMlS3QLWf53bseA-1; Mon, 22 Mar 2021 10:00:50 -0400 X-MC-Unique: wRgF-PeTMlS3QLWf53bseA-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A7A07881D7A; Mon, 22 Mar 2021 14:00:43 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7161319C87; Mon, 22 Mar 2021 14:00:43 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 21C0F18005B6; Mon, 22 Mar 2021 14:00:43 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 12ME0AD8028262 for ; Mon, 22 Mar 2021 10:00:11 -0400 Received: by smtp.corp.redhat.com (Postfix) id D98702026D60; Mon, 22 Mar 2021 14:00:10 +0000 (UTC) Delivered-To: libvir-list@redhat.com Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D3F892026D65 for ; Mon, 22 Mar 2021 14:00:08 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 60F2780B921 for ; Mon, 22 Mar 2021 14:00:08 +0000 (UTC) Received: from mail-wr1-f42.google.com (mail-wr1-f42.google.com [209.85.221.42]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-194-DWaDawJGOMSdkknsHiwSqA-1; Mon, 22 Mar 2021 10:00:05 -0400 X-MC-Unique: DWaDawJGOMSdkknsHiwSqA-1 Received: by mail-wr1-f42.google.com with SMTP id j18so16976124wra.2 for ; Mon, 22 Mar 2021 07:00:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=QqnRDcqbG8JtPoVsmIsAnMFqlbytcIG4xMZDFP2Crww=; b=nyM6Ff14R6fDXArX37ecDdcXuf54wXG7PBQruGVo6LqgoOmPqBAt8ZAM2aoEvc5T65 XkFeB/hNXoPqcOyZbxPpqFuxFF/IfqtKavaFeH+NNnrxKpCnwkXIl8OxSRpHptN2BS8p VA7IHxOnbjMCieFfpoBZu6Qjsl6yvsb1Q+CXgEa0eAu5t+bD0KmSObwCSAVSlXbQUSaU 79xmCMGNvIEN/8rldfprM5UwdN4x4ZhOkSlwSCmajCJTek1UsRQbHRYgsbdY8IUUPcCx vQzz/fNWb9C7Jv3a4xSWez9yzt+99L17fT1Cll0Tl8RPQUcfqAffDafioWd7jy9TtZo2 vUBQ== X-Gm-Message-State: AOAM5305LgqDsZzzgmCyZGtgmJfGcpBD+L1Aw23hKXBVkl7Pj37ZVeu4 QBUOF57bkUWfg0eXz4LJbBw= X-Received: by 2002:adf:b1c9:: with SMTP id r9mr18844903wra.51.1616421604280; Mon, 22 Mar 2021 07:00:04 -0700 (PDT) Received: from localhost.localdomain (17.red-88-21-201.staticip.rima-tde.net. [88.21.201.17]) by smtp.gmail.com with ESMTPSA id e13sm23252197wrg.72.2021.03.22.07.00.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Mar 2021 07:00:03 -0700 (PDT) From: =?utf-8?q?Philippe_Mathieu-Daud=C3=A9?= To: qemu-devel@nongnu.org Subject: [PULL 1/2] target/mips/mxu_translate.c: Fix array overrun for D16MIN/D16MAX Date: Mon, 22 Mar 2021 14:59:56 +0100 Message-Id: <20210322135957.4108728-2-f4bug@amsat.org> In-Reply-To: <20210322135957.4108728-1-f4bug@amsat.org> References: <20210322135957.4108728-1-f4bug@amsat.org> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: libvir-list@redhat.com Cc: Peter Maydell , Aleksandar Rikalo , libvir-list@redhat.com, =?utf-8?q?Phi?= =?utf-8?q?lippe_Mathieu-Daud=C3=A9?= , Jiaxun Yang , qemu-stable@nongnu.org, Aurelien Jarno X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com From: Peter Maydell Coverity reported (CID 1450831) an array overrun in gen_mxu_D16MAX_D16MIN(): 1103 } else if (unlikely((XRb == 0) || (XRa == 0))) { .... 1112 if (opc == OPC_MXU_D16MAX) { 1113 tcg_gen_smax_i32(mxu_gpr[XRa - 1], t0, t1); 1114 } else { 1115 tcg_gen_smin_i32(mxu_gpr[XRa - 1], t0, t1); 1116 } >>> Overrunning array "mxu_gpr" of 15 8-byte elements at element index 4294967295 (byte offset 34359738367) using index "XRa - 1U" (which evaluates to 4294967295). This happens because the code is confused about which of XRa, XRb and XRc is the output, and which are the inputs. XRa is the output, but most of the conditions separating out different special cases are written as if XRc is the output, with the result that we can end up in the code path that assumes XRa is non-0 even when it is zero. Fix the erroneous code, bringing it in to line with the structure used in functions like gen_mxu_S32MAX_S32MIN() and gen_mxu_Q8MAX_Q8MIN(). Fixes: CID 1450831 Fixes: bb84cbf38505bd1d8 Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell Reviewed-by: Philippe Mathieu-Daudé Message-Id: <20210316131353.4533-1-peter.maydell@linaro.org> Signed-off-by: Philippe Mathieu-Daudé --- target/mips/mxu_translate.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) -- 2.26.2 diff --git a/target/mips/mxu_translate.c b/target/mips/mxu_translate.c index afc008eeeef..fb0a811af6c 100644 --- a/target/mips/mxu_translate.c +++ b/target/mips/mxu_translate.c @@ -1095,12 +1095,12 @@ static void gen_mxu_D16MAX_D16MIN(DisasContext *ctx) if (unlikely(pad != 0)) { /* opcode padding incorrect -> do nothing */ - } else if (unlikely(XRc == 0)) { + } else if (unlikely(XRa == 0)) { /* destination is zero register -> do nothing */ - } else if (unlikely((XRb == 0) && (XRa == 0))) { + } else if (unlikely((XRb == 0) && (XRc == 0))) { /* both operands zero registers -> just set destination to zero */ - tcg_gen_movi_i32(mxu_gpr[XRc - 1], 0); - } else if (unlikely((XRb == 0) || (XRa == 0))) { + tcg_gen_movi_i32(mxu_gpr[XRa - 1], 0); + } else if (unlikely((XRb == 0) || (XRc == 0))) { /* exactly one operand is zero register - find which one is not...*/ uint32_t XRx = XRb ? XRb : XRc; /* ...and do half-word-wise max/min with one operand 0 */