[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 11/23] cpu-exec: fix icount out-of-bounds access
From: |
Paolo Bonzini |
Subject: |
[Qemu-devel] [PULL 11/23] cpu-exec: fix icount out-of-bounds access |
Date: |
Thu, 16 Feb 2017 15:31:35 +0100 |
When icount is active, tb_add_jump is surprisingly called with an
out of bounds basic block index. I have no idea how that can work,
but it does not seem like a good idea. Clear *last_tb for all
TB_EXIT_ICOUNT_EXPIRED cases, even when all you have to do is
refill icount_extra.
Signed-off-by: Paolo Bonzini <address@hidden>
---
cpu-exec.c | 7 ++++---
include/exec/exec-all.h | 1 +
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/cpu-exec.c b/cpu-exec.c
index 57583f1..1f7d217 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -542,7 +542,7 @@ static inline void cpu_loop_exec_tb(CPUState *cpu,
TranslationBlock *tb,
trace_exec_tb(tb, tb->pc);
ret = cpu_tb_exec(cpu, tb);
- *last_tb = (TranslationBlock *)(ret & ~TB_EXIT_MASK);
+ tb = (TranslationBlock *)(ret & ~TB_EXIT_MASK);
*tb_exit = ret & TB_EXIT_MASK;
switch (*tb_exit) {
case TB_EXIT_REQUESTED:
@@ -566,6 +566,7 @@ static inline void cpu_loop_exec_tb(CPUState *cpu,
TranslationBlock *tb,
abort();
#else
int insns_left = cpu->icount_decr.u32;
+ *last_tb = NULL;
if (cpu->icount_extra && insns_left >= 0) {
/* Refill decrementer and continue execution. */
cpu->icount_extra += insns_left;
@@ -575,17 +576,17 @@ static inline void cpu_loop_exec_tb(CPUState *cpu,
TranslationBlock *tb,
} else {
if (insns_left > 0) {
/* Execute remaining instructions. */
- cpu_exec_nocache(cpu, insns_left, *last_tb, false);
+ cpu_exec_nocache(cpu, insns_left, tb, false);
align_clocks(sc, cpu);
}
cpu->exception_index = EXCP_INTERRUPT;
- *last_tb = NULL;
cpu_loop_exit(cpu);
}
break;
#endif
}
default:
+ *last_tb = tb;
break;
}
}
diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index bbc9478..21ab7bf 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -318,6 +318,7 @@ static inline void tb_set_jmp_target(TranslationBlock *tb,
static inline void tb_add_jump(TranslationBlock *tb, int n,
TranslationBlock *tb_next)
{
+ assert(n < ARRAY_SIZE(tb->jmp_list_next));
if (tb->jmp_list_next[n]) {
/* Another thread has already done this while we were
* outside of the lock; nothing to do in this case */
--
1.8.3.1
- [Qemu-devel] [PULL 01/23] kvm/ioapic: dump real object instead of a fake one, (continued)
- [Qemu-devel] [PULL 01/23] kvm/ioapic: dump real object instead of a fake one, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 02/23] ioapic: fix error report value of def version, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 03/23] kvm/ioapic: correct kvm ioapic version, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 04/23] test-vmstate: remove yield_until_fd_readable, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 05/23] qemu-char: socket backend: disconnect on write error, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 06/23] apic: reset apic_delivered global variable on machine reset, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 07/23] char: drop data written to a disconnected pty, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 09/23] gdbstub: Fix vCont behaviour, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 08/23] move vm_start to cpus.c, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 10/23] hw/char/mcf_uart: QOMify the ColdFire UART, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 11/23] cpu-exec: fix icount out-of-bounds access,
Paolo Bonzini <=
- [Qemu-devel] [PULL 13/23] cpu-exec: avoid cpu_loop_exit in cpu_handle_interrupt, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 12/23] cpu-exec: tighten barrier on TCG_EXIT_REQUESTED, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 14/23] cpu-exec: avoid repeated sigsetjmp on interrupts, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 16/23] qemu-doc: Clarify that -vga std is now the default, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 15/23] cpu-exec: remove outermost infinite loop, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 17/23] qemu-nbd: Implement socket activation., Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 18/23] vl: Move the cpu_synchronize_all_post_init() after generic devices initialization, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 19/23] Makefile: avoid leaving the temporary QEMU_PKGVERSION header file, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 20/23] i386/cpu: add crash-information QOM property, Paolo Bonzini, 2017/02/16
- [Qemu-devel] [PULL 21/23] report guest crash information in GUEST_PANICKED event, Paolo Bonzini, 2017/02/16