From patchwork Wed Apr 27 04:39:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Richard Henderson X-Patchwork-Id: 566750 Delivered-To: patch@linaro.org Received: by 2002:a05:7000:6886:0:0:0:0 with SMTP id m6csp4182348map; Tue, 26 Apr 2022 21:43:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwBmMhbTx+7idXPWLdDdsQFVYDh4nmKx+3SLN/Q1FtAF3sK9h0ta746IkkzK3LQytqVAaMy X-Received: by 2002:a05:6214:1c83:b0:443:6749:51f8 with SMTP id ib3-20020a0562141c8300b00443674951f8mr18694712qvb.74.1651034628536; Tue, 26 Apr 2022 21:43:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651034628; cv=none; d=google.com; s=arc-20160816; b=lBNg363OjWmFvCpELVuCI2sil9uRIG0W+lfj/hymZUjwu1O8DEJEcg0tNI2Kr0OcxN ND42GnI/rg+nLM/Yju5F26W48+p8f2dzgqH2/EEEDS9y3hWxUEq0dJAUgcvp+f+9Bv9f SG1rhhDTQ2CCVPYd+dzTTEK6Q60XaAw5fNiRkWT7I4Ni3gEFXIPy0Q4yvbgdElKON0Ij PKZ92mISGhWyfovQxUePdH0ILDJncR/qrbsI14pdXZ3naBdfS+P9mJlCs+jgGRhi04cS 20hPLO9sODmudjaln1obPQmpkVCk05f8xvncBn+MIAbVgtGmZkOzeh7AD0SjJFNZJOsc RG9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:cc:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=ULcFg+YQtMFDdmUsYGTe6VlNAYytQ0q+FNB9e1xihHc=; b=pHMpybv5qujAt9zFiqKyfLkcXN6AHnrm2w0uMz9bwjbG5RChYdDRDcEGractIdfCEd acPQC7gIJPQ4TM5XTickvlrABDLFdA4f1yiNnCIsOfo1YTFQnlMsFJ7YRkc510BomEdU LMv76DpTq/aTsj0SyMDzr0y3SwikW3+cYikB7ukNn8/c66zi0V5vu34PznWpKttVK6hU J9QsO0yE2HQM4752+h0PFaZEg99VDVvspRX1StaqpXJDxVhHMfJbRiAJGjD14IodJQUl SqEKPJje3qPxTnFCntuDIOtnxMt8nPJZ120RxE1EJ0xRUbwaIbFjZJjUlwc6rkUlc8SW UTLw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vAHCnIJF; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.gnu.org (lists.gnu.org. [209.51.188.17]) by mx.google.com with ESMTPS id d11-20020a05622a05cb00b002f382c217ddsi104405qtb.340.2022.04.26.21.43.48 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 26 Apr 2022 21:43:48 -0700 (PDT) Received-SPF: pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vAHCnIJF; spf=pass (google.com: domain of qemu-devel-bounces+patch=linaro.org@nongnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom="qemu-devel-bounces+patch=linaro.org@nongnu.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from localhost ([::1]:56772 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1njZWm-00073N-4J for patch@linaro.org; Wed, 27 Apr 2022 00:43:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50348) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1njZSv-0001IA-77 for qemu-devel@nongnu.org; Wed, 27 Apr 2022 00:39:50 -0400 Received: from mail-pf1-x42c.google.com ([2607:f8b0:4864:20::42c]:41735) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1njZSs-0007SE-FO for qemu-devel@nongnu.org; Wed, 27 Apr 2022 00:39:48 -0400 Received: by mail-pf1-x42c.google.com with SMTP id p8so595981pfh.8 for ; Tue, 26 Apr 2022 21:39:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ULcFg+YQtMFDdmUsYGTe6VlNAYytQ0q+FNB9e1xihHc=; b=vAHCnIJFKSGzke1kR1JTpgjaVhRtkKvSwQ0XWmYh6+yYRuhV4GN4Zbxb500XajiSIO BzQYgG7jaG9RYtjLGPUajRHdBaQHLe4WkUDu1rToRm+AW5uPSaCg0gIvfVmDmr+bSAx3 Wsmu6eTK/0nXPt94V7OV+ODzefs7yfq50SmxKyKamRsQ5VGzqYjqll0Y7gTjkHV8dsFT NILzs8ZW0f7fqxOJfjekrIQhQBF7Zb7EfCug8xx7AKEPt6MccE3q4lXeY2F4A28y8nXg TQue+bT/AJlJrNaL9OVsQwSvCFcAiZ1rf92JkwHevEGUffmqY7MGqCgZUqR4APgEvPKP sPGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ULcFg+YQtMFDdmUsYGTe6VlNAYytQ0q+FNB9e1xihHc=; b=s6yWLYOnVpvaRvbLuKBuPBHHyV8Yj+8v7OOduLimVXHHgL8UWoOLZ8gdnKCrEZ6ETE dgRvgVwAZiM+ZyjckyH8Y9jHwdh8KIBpxVCpWIUIIRRbsV9RBjVxSELg53vUU5St7afd p1a5c1gFdy5zf8hdRlY2MEy/BK7lKzeYfa1224RbE1B8a3vMwMhP9FpRJk3YashYx4tO 2Sp/gwxLHJIaCR2Ig59KI3QDE6oE0qAns7i4M9RKeOlJvfyAg5lpWIJ6fCGs0IeAhsC1 IUDkVcUCm8qSZGfBQYsQYQbZVb4/inXcoYGO5TA1cutiUHyrhSl8CwrbdhzoLjkCAWk1 usNA== X-Gm-Message-State: AOAM532NLQB8zh5dHyLWUobHEGZrRkBnkkkU8+pjupYFbZtNcsLutIoj K3OiX/IODvxhGxFHsKcc+iyqKTdi5Kdbmw== X-Received: by 2002:a63:88c8:0:b0:3ab:1871:13b4 with SMTP id l191-20020a6388c8000000b003ab187113b4mr15034786pgd.85.1651034384548; Tue, 26 Apr 2022 21:39:44 -0700 (PDT) Received: from stoup.. (174-21-142-130.tukw.qwest.net. [174.21.142.130]) by smtp.gmail.com with ESMTPSA id f16-20020aa78b10000000b0050a81508653sm16875632pfd.198.2022.04.26.21.39.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Apr 2022 21:39:44 -0700 (PDT) From: Richard Henderson To: qemu-devel@nongnu.org Subject: [PULL 1/6] accel/tcg: Assert mmu_idx in range before use in cputlb Date: Tue, 26 Apr 2022 21:39:37 -0700 Message-Id: <20220427043942.294654-2-richard.henderson@linaro.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220427043942.294654-1-richard.henderson@linaro.org> References: <20220427043942.294654-1-richard.henderson@linaro.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2607:f8b0:4864:20::42c; envelope-from=richard.henderson@linaro.org; helo=mail-pf1-x42c.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Peter Maydell , =?utf-8?q?Alex_Benn=C3=A9e?= Errors-To: qemu-devel-bounces+patch=linaro.org@nongnu.org Sender: "Qemu-devel" Coverity reports out-of-bound accesses within cputlb.c. This should be a false positive due to how the index is decoded from MemOpIdx. To be fair, nothing is checking the correct bounds during encoding either. Assert index in range before use, both to catch user errors and to pacify static analysis. Fixes: Coverity CID 1487120, 1487127, 1487170, 1487196, 1487215, 1487238 Signed-off-by: Richard Henderson Reviewed-by: Peter Maydell Reviewed-by: Alex Bennée Message-Id: <20220401170813.318609-1-richard.henderson@linaro.org> --- accel/tcg/cputlb.c | 40 +++++++++++++++++++++++++++------------- 1 file changed, 27 insertions(+), 13 deletions(-) diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c index dd45e0467b..f90f4312ea 100644 --- a/accel/tcg/cputlb.c +++ b/accel/tcg/cputlb.c @@ -1761,7 +1761,7 @@ static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr, MemOpIdx oi, int size, int prot, uintptr_t retaddr) { - size_t mmu_idx = get_mmuidx(oi); + uintptr_t mmu_idx = get_mmuidx(oi); MemOp mop = get_memop(oi); int a_bits = get_alignment_bits(mop); uintptr_t index; @@ -1769,6 +1769,8 @@ static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr, target_ulong tlb_addr; void *hostaddr; + tcg_debug_assert(mmu_idx < NB_MMU_MODES); + /* Adjust the given return address. */ retaddr -= GETPC_ADJ; @@ -1908,18 +1910,20 @@ load_helper(CPUArchState *env, target_ulong addr, MemOpIdx oi, uintptr_t retaddr, MemOp op, bool code_read, FullLoadHelper *full_load) { - uintptr_t mmu_idx = get_mmuidx(oi); - uintptr_t index = tlb_index(env, mmu_idx, addr); - CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr); - target_ulong tlb_addr = code_read ? entry->addr_code : entry->addr_read; const size_t tlb_off = code_read ? offsetof(CPUTLBEntry, addr_code) : offsetof(CPUTLBEntry, addr_read); const MMUAccessType access_type = code_read ? MMU_INST_FETCH : MMU_DATA_LOAD; - unsigned a_bits = get_alignment_bits(get_memop(oi)); + const unsigned a_bits = get_alignment_bits(get_memop(oi)); + const size_t size = memop_size(op); + uintptr_t mmu_idx = get_mmuidx(oi); + uintptr_t index; + CPUTLBEntry *entry; + target_ulong tlb_addr; void *haddr; uint64_t res; - size_t size = memop_size(op); + + tcg_debug_assert(mmu_idx < NB_MMU_MODES); /* Handle CPU specific unaligned behaviour */ if (addr & ((1 << a_bits) - 1)) { @@ -1927,6 +1931,10 @@ load_helper(CPUArchState *env, target_ulong addr, MemOpIdx oi, mmu_idx, retaddr); } + index = tlb_index(env, mmu_idx, addr); + entry = tlb_entry(env, mmu_idx, addr); + tlb_addr = code_read ? entry->addr_code : entry->addr_read; + /* If the TLB entry is for a different page, reload and try again. */ if (!tlb_hit(tlb_addr, addr)) { if (!victim_tlb_hit(env, mmu_idx, index, tlb_off, @@ -2310,14 +2318,16 @@ static inline void QEMU_ALWAYS_INLINE store_helper(CPUArchState *env, target_ulong addr, uint64_t val, MemOpIdx oi, uintptr_t retaddr, MemOp op) { - uintptr_t mmu_idx = get_mmuidx(oi); - uintptr_t index = tlb_index(env, mmu_idx, addr); - CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr); - target_ulong tlb_addr = tlb_addr_write(entry); const size_t tlb_off = offsetof(CPUTLBEntry, addr_write); - unsigned a_bits = get_alignment_bits(get_memop(oi)); + const unsigned a_bits = get_alignment_bits(get_memop(oi)); + const size_t size = memop_size(op); + uintptr_t mmu_idx = get_mmuidx(oi); + uintptr_t index; + CPUTLBEntry *entry; + target_ulong tlb_addr; void *haddr; - size_t size = memop_size(op); + + tcg_debug_assert(mmu_idx < NB_MMU_MODES); /* Handle CPU specific unaligned behaviour */ if (addr & ((1 << a_bits) - 1)) { @@ -2325,6 +2335,10 @@ store_helper(CPUArchState *env, target_ulong addr, uint64_t val, mmu_idx, retaddr); } + index = tlb_index(env, mmu_idx, addr); + entry = tlb_entry(env, mmu_idx, addr); + tlb_addr = tlb_addr_write(entry); + /* If the TLB entry is for a different page, reload and try again. */ if (!tlb_hit(tlb_addr, addr)) { if (!victim_tlb_hit(env, mmu_idx, index, tlb_off,