qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] target/i386: Verify memory operand for lcall and ljmp
@ 2021-03-24 16:46 Richard Henderson
  2021-03-24 17:00 ` Paolo Bonzini
  0 siblings, 1 reply; 2+ messages in thread
From: Richard Henderson @ 2021-03-24 16:46 UTC (permalink / raw)
  To: qemu-devel; +Cc: pbonzini, ehabkost

These two opcodes only allow a memory operand.

Lacking the check for a register operand, we used the A0 temp
without initialization, which led to a tcg abort.

Buglink: https://bugs.launchpad.net/qemu/+bug/1921138
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/i386/tcg/translate.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index af1faf9342..880bc45561 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -5061,6 +5061,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
             gen_jr(s, s->T0);
             break;
         case 3: /* lcall Ev */
+            if (mod == 3) {
+                goto illegal_op;
+            }
             gen_op_ld_v(s, ot, s->T1, s->A0);
             gen_add_A0_im(s, 1 << ot);
             gen_op_ld_v(s, MO_16, s->T0, s->A0);
@@ -5088,6 +5091,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
             gen_jr(s, s->T0);
             break;
         case 5: /* ljmp Ev */
+            if (mod == 3) {
+                goto illegal_op;
+            }
             gen_op_ld_v(s, ot, s->T1, s->A0);
             gen_add_A0_im(s, 1 << ot);
             gen_op_ld_v(s, MO_16, s->T0, s->A0);
-- 
2.25.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] target/i386: Verify memory operand for lcall and ljmp
  2021-03-24 16:46 [PATCH] target/i386: Verify memory operand for lcall and ljmp Richard Henderson
@ 2021-03-24 17:00 ` Paolo Bonzini
  0 siblings, 0 replies; 2+ messages in thread
From: Paolo Bonzini @ 2021-03-24 17:00 UTC (permalink / raw)
  To: Richard Henderson, qemu-devel; +Cc: ehabkost

On 24/03/21 17:46, Richard Henderson wrote:
> These two opcodes only allow a memory operand.
> 
> Lacking the check for a register operand, we used the A0 temp
> without initialization, which led to a tcg abort.
> 
> Buglink: https://bugs.launchpad.net/qemu/+bug/1921138
> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
> ---
>   target/i386/tcg/translate.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
> index af1faf9342..880bc45561 100644
> --- a/target/i386/tcg/translate.c
> +++ b/target/i386/tcg/translate.c
> @@ -5061,6 +5061,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
>               gen_jr(s, s->T0);
>               break;
>           case 3: /* lcall Ev */
> +            if (mod == 3) {
> +                goto illegal_op;
> +            }
>               gen_op_ld_v(s, ot, s->T1, s->A0);
>               gen_add_A0_im(s, 1 << ot);
>               gen_op_ld_v(s, MO_16, s->T0, s->A0);
> @@ -5088,6 +5091,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
>               gen_jr(s, s->T0);
>               break;
>           case 5: /* ljmp Ev */
> +            if (mod == 3) {
> +                goto illegal_op;
> +            }
>               gen_op_ld_v(s, ot, s->T1, s->A0);
>               gen_add_A0_im(s, 1 << ot);
>               gen_op_ld_v(s, MO_16, s->T0, s->A0);
> 

Acked-by: Paolo Bonzini <pbonzini@redhat.com>



^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-03-24 17:02 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-24 16:46 [PATCH] target/i386: Verify memory operand for lcall and ljmp Richard Henderson
2021-03-24 17:00 ` Paolo Bonzini

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).