From patchwork Fri May 29 13:10:45 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Maydell X-Patchwork-Id: 49195 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-lb0-f197.google.com (mail-lb0-f197.google.com [209.85.217.197]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 1EE5D218E7 for ; Fri, 29 May 2015 13:21:47 +0000 (UTC) Received: by lbcak1 with SMTP id ak1sf19085496lbc.2 for ; Fri, 29 May 2015 06:21:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:delivered-to:from:to:date :message-id:in-reply-to:references:subject:precedence:list-id :list-unsubscribe:list-archive:list-post:list-help:list-subscribe :errors-to:sender:x-original-sender :x-original-authentication-results:mailing-list; bh=42DHEU5N1uaPZN0o0mPPAKFQw/h23VY73dx1B7TNCrg=; b=Wh4d2OnFrNHG6lRZokjdOkB8gbLvhgOhxcUl9Ku4QnKdUBZ4U+uK8002HHH0ThXi0o A167yJkNLmgAV2HvEY1EGiL+y8viqr0CJuNASeKtPvFs2D2LxqPsb2zASB/SDAd/TjBm N8B25/r4AYvRSmqjTkvW+xSpEhPVkAjcd317kkUEkthoXyZ/CCCLU7dhCazi77WU4z5v OsGBumP++3eTYwsbTJSKv2EVnT2x75cX/vM+kR2Jdc+pZMJ0Upa4QFBRcnOFzawTsPkh Bf69MTwWM9sFdRs5KyGnJgaPoZfBsX5oE1SDnkGLMgROgmRBNnqAZ3DHF89+uSgwYYe7 Q+hg== X-Gm-Message-State: ALoCoQlwE6gCAFvnMUAS+0HSly3IZwJEsu2LCgMdkjBUul5QlGpoTytdSYUMjIWV56Eq2FcQj33D X-Received: by 10.194.5.229 with SMTP id v5mr7289489wjv.0.1432905706018; Fri, 29 May 2015 06:21:46 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.152.8.1 with SMTP id n1ls291564laa.87.gmail; Fri, 29 May 2015 06:21:45 -0700 (PDT) X-Received: by 10.152.2.133 with SMTP id 5mr6559125lau.36.1432905705848; Fri, 29 May 2015 06:21:45 -0700 (PDT) Received: from mail-la0-f51.google.com (mail-la0-f51.google.com. [209.85.215.51]) by mx.google.com with ESMTPS id bb9si4664329lab.145.2015.05.29.06.21.45 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 May 2015 06:21:45 -0700 (PDT) Received-SPF: pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.51 as permitted sender) client-ip=209.85.215.51; Received: by lagv1 with SMTP id v1so55563086lag.3 for ; Fri, 29 May 2015 06:21:45 -0700 (PDT) X-Received: by 10.152.37.228 with SMTP id b4mr7782090lak.117.1432905705371; Fri, 29 May 2015 06:21:45 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.112.108.230 with SMTP id hn6csp328686lbb; Fri, 29 May 2015 06:21:44 -0700 (PDT) X-Received: by 10.55.48.73 with SMTP id w70mr15723750qkw.49.1432905703702; Fri, 29 May 2015 06:21:43 -0700 (PDT) Received: from lists.gnu.org (lists.gnu.org. [2001:4830:134:3::11]) by mx.google.com with ESMTPS id n17si5530538qhb.104.2015.05.29.06.21.43 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 29 May 2015 06:21:43 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 2001:4830:134:3::11 as permitted sender) client-ip=2001:4830:134:3::11; Received: from localhost ([::1]:35846 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YyKEI-0006Nv-LL for patch@linaro.org; Fri, 29 May 2015 09:21:42 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:46090) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YyK3t-0003sm-6q for qemu-devel@nongnu.org; Fri, 29 May 2015 09:11:02 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YyK3o-0003WL-VL for qemu-devel@nongnu.org; Fri, 29 May 2015 09:10:57 -0400 Received: from mnementh.archaic.org.uk ([2001:8b0:1d0::1]:34304) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YyK3o-0003US-OH for qemu-devel@nongnu.org; Fri, 29 May 2015 09:10:52 -0400 Received: from pm215 by mnementh.archaic.org.uk with local (Exim 4.80) (envelope-from ) id 1YyK3j-0005of-Dp for qemu-devel@nongnu.org; Fri, 29 May 2015 14:10:47 +0100 From: Peter Maydell To: qemu-devel@nongnu.org Date: Fri, 29 May 2015 14:10:45 +0100 Message-Id: <1432905045-22138-40-git-send-email-peter.maydell@linaro.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1432905045-22138-1-git-send-email-peter.maydell@linaro.org> References: <1432905045-22138-1-git-send-email-peter.maydell@linaro.org> X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-Received-From: 2001:8b0:1d0::1 Subject: [Qemu-devel] [PULL 39/39] target-arm: Avoid buffer overrun on UNPREDICTABLE ldrd/strd X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: , List-Help: , List-Subscribe: , Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: qemu-devel-bounces+patch=linaro.org@nongnu.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: peter.maydell@linaro.org X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of patch+caf_=patchwork-forward=linaro.org@linaro.org designates 209.85.215.51 as permitted sender) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 A LDRD or STRD where rd is not an even number is UNPREDICTABLE. We were letting this fall through, which is OK unless rd is 15, in which case we would attempt to do a load_reg or store_reg to a nonexistent r16 for the second half of the double-word. Catch the odd-numbered-rd cases and UNDEF them instead. To do this we rearrange the structure of the code a little so we can put the UNDEF catches at the top before we've allocated TCG temporaries. Cc: qemu-stable@nongnu.org Signed-off-by: Peter Maydell Message-id: 1431348973-21315-1-git-send-email-peter.maydell@linaro.org --- target-arm/translate.c | 56 ++++++++++++++++++++++++++++---------------------- 1 file changed, 32 insertions(+), 24 deletions(-) diff --git a/target-arm/translate.c b/target-arm/translate.c index 6493b9a..39692d7 100644 --- a/target-arm/translate.c +++ b/target-arm/translate.c @@ -8430,34 +8430,30 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn) } } else { int address_offset; - int load; + bool load = insn & (1 << 20); + bool doubleword = false; /* Misc load/store */ rn = (insn >> 16) & 0xf; rd = (insn >> 12) & 0xf; + + if (!load && (sh & 2)) { + /* doubleword */ + ARCH(5TE); + if (rd & 1) { + /* UNPREDICTABLE; we choose to UNDEF */ + goto illegal_op; + } + load = (sh & 1) == 0; + doubleword = true; + } + addr = load_reg(s, rn); if (insn & (1 << 24)) gen_add_datah_offset(s, insn, 0, addr); address_offset = 0; - if (insn & (1 << 20)) { - /* load */ - tmp = tcg_temp_new_i32(); - switch(sh) { - case 1: - gen_aa32_ld16u(tmp, addr, get_mem_index(s)); - break; - case 2: - gen_aa32_ld8s(tmp, addr, get_mem_index(s)); - break; - default: - case 3: - gen_aa32_ld16s(tmp, addr, get_mem_index(s)); - break; - } - load = 1; - } else if (sh & 2) { - ARCH(5TE); - /* doubleword */ - if (sh & 1) { + + if (doubleword) { + if (!load) { /* store */ tmp = load_reg(s, rd); gen_aa32_st32(tmp, addr, get_mem_index(s)); @@ -8466,7 +8462,6 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn) tmp = load_reg(s, rd + 1); gen_aa32_st32(tmp, addr, get_mem_index(s)); tcg_temp_free_i32(tmp); - load = 0; } else { /* load */ tmp = tcg_temp_new_i32(); @@ -8476,15 +8471,28 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn) tmp = tcg_temp_new_i32(); gen_aa32_ld32u(tmp, addr, get_mem_index(s)); rd++; - load = 1; } address_offset = -4; + } else if (load) { + /* load */ + tmp = tcg_temp_new_i32(); + switch (sh) { + case 1: + gen_aa32_ld16u(tmp, addr, get_mem_index(s)); + break; + case 2: + gen_aa32_ld8s(tmp, addr, get_mem_index(s)); + break; + default: + case 3: + gen_aa32_ld16s(tmp, addr, get_mem_index(s)); + break; + } } else { /* store */ tmp = load_reg(s, rd); gen_aa32_st16(tmp, addr, get_mem_index(s)); tcg_temp_free_i32(tmp); - load = 0; } /* Perform base writeback before the loaded value to ensure correct behavior with overlapping index registers.