[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 57/81] cpu-exec: fix icount out-of-bounds access
From: |
Michael Roth |
Subject: |
[Qemu-devel] [PATCH 57/81] cpu-exec: fix icount out-of-bounds access |
Date: |
Mon, 20 Mar 2017 18:08:21 -0500 |
From: Paolo Bonzini <address@hidden>
When icount is active, tb_add_jump is surprisingly called with an
out of bounds basic block index. I have no idea how that can work,
but it does not seem like a good idea. Clear *last_tb for all
TB_EXIT_ICOUNT_EXPIRED cases, even when all you have to do is
refill icount_extra.
Signed-off-by: Paolo Bonzini <address@hidden>
(cherry picked from commit 43d70ddf9f96b3ad037abe4d5f9f2768196b8c92)
Signed-off-by: Michael Roth <address@hidden>
---
cpu-exec.c | 7 ++++---
include/exec/exec-all.h | 1 +
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/cpu-exec.c b/cpu-exec.c
index 4188fed..c081a7a 100644
--- a/cpu-exec.c
+++ b/cpu-exec.c
@@ -542,7 +542,7 @@ static inline void cpu_loop_exec_tb(CPUState *cpu,
TranslationBlock *tb,
trace_exec_tb(tb, tb->pc);
ret = cpu_tb_exec(cpu, tb);
- *last_tb = (TranslationBlock *)(ret & ~TB_EXIT_MASK);
+ tb = (TranslationBlock *)(ret & ~TB_EXIT_MASK);
*tb_exit = ret & TB_EXIT_MASK;
switch (*tb_exit) {
case TB_EXIT_REQUESTED:
@@ -566,6 +566,7 @@ static inline void cpu_loop_exec_tb(CPUState *cpu,
TranslationBlock *tb,
abort();
#else
int insns_left = cpu->icount_decr.u32;
+ *last_tb = NULL;
if (cpu->icount_extra && insns_left >= 0) {
/* Refill decrementer and continue execution. */
cpu->icount_extra += insns_left;
@@ -575,17 +576,17 @@ static inline void cpu_loop_exec_tb(CPUState *cpu,
TranslationBlock *tb,
} else {
if (insns_left > 0) {
/* Execute remaining instructions. */
- cpu_exec_nocache(cpu, insns_left, *last_tb, false);
+ cpu_exec_nocache(cpu, insns_left, tb, false);
align_clocks(sc, cpu);
}
cpu->exception_index = EXCP_INTERRUPT;
- *last_tb = NULL;
cpu_loop_exit(cpu);
}
break;
#endif
}
default:
+ *last_tb = tb;
break;
}
}
diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index a8c13ce..e596ff7 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -320,6 +320,7 @@ static inline void tb_set_jmp_target(TranslationBlock *tb,
static inline void tb_add_jump(TranslationBlock *tb, int n,
TranslationBlock *tb_next)
{
+ assert(n < ARRAY_SIZE(tb->jmp_list_next));
if (tb->jmp_list_next[n]) {
/* Another thread has already done this while we were
* outside of the lock; nothing to do in this case */
--
2.7.4
- [Qemu-devel] [PATCH 50/81] tcg/aarch64: Fix addsub2 for 0+C, (continued)
- [Qemu-devel] [PATCH 50/81] tcg/aarch64: Fix addsub2 for 0+C, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 40/81] pc: fix crash in rtc_set_memory() if initial cpu is marked as hotplugged, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 45/81] virtio-crypto: fix possible integer and heap overflow, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 48/81] x86: ioapic: fix fail migration when irqchip=split, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 53/81] virtio: fix up max size checks, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 35/81] machine: Convert abstract typename on compat_props to subclass names, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 34/81] 9pfs: fix vulnerability in openat_dir() and local_unlinkat_common(), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 47/81] display: cirrus: ignore source pitch value as needed in blit_is_unsafe, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 04/81] 9pfs: introduce relative_openat_nofollow() helper, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 60/81] s390x/kvm: fix small race reboot vs. cmma, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 57/81] cpu-exec: fix icount out-of-bounds access,
Michael Roth <=
- [Qemu-devel] [PATCH 54/81] block/iscsi: avoid data corruption with cache=writeback, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 58/81] ahci: advertise HOST_CAP_64, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 62/81] block/nfs: fix naming of runtime opts, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 65/81] target-ppc, tcg: fix usermode segfault with pthread_create(), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 67/81] target/sparc: Restore ldstub of odd asis, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 68/81] apic: reset apic_delivered global variable on machine reset, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 41/81] ui/gtk: fix crash at startup when no console is available, Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 44/81] qemu-thread: fix qemu_thread_set_name() race in qemu_thread_create(), Michael Roth, 2017/03/20
- [Qemu-devel] [PATCH 49/81] char: fix ctrl-a b not working, Michael Roth, 2017/03/20