qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fix a potential Use-after-free bug in handle_simd_shift_fpint_conv() (v6

From: wliang
Subject: Fix a potential Use-after-free bug in handle_simd_shift_fpint_conv() (v6.2.0).
Date: Wed, 23 Feb 2022 22:33:27 +0800 (GMT+08:00)

Hi all,

I find a potential Use-after-free bug in QEMU 6.2.0, which is in handle_simd_shift_fpint_conv()(./target/arm/translate-a64.c).

At line 9048, a variable 'tcg_fpstatus' is freed by invoking tcg_temp_free_ptr(). However, at line 9050, the variable 'tcg_fpstatus' is subsequently use as the 3rd parameter of the function gen_helper_set_rmode. This may result in a use-after-free bug.


9048     tcg_temp_free_ptr(tcg_fpstatus);
9049     tcg_temp_free_i32(tcg_shift);
9050     gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);


I believe the bug can be fixed by invoking the gen_helper_set_rmode() before 'tcg_fpstatus' being freed by the tcg_temp_free_ptr().


 ---     tcg_temp_free_ptr(tcg_fpstatus);
9049     tcg_temp_free_i32(tcg_shift);
9050     gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
 +++     tcg_temp_free_ptr(tcg_fpstatus);
 
I'm looking forward to your confirmation.


Best,

Wentao

Attachment: translate-a64.c.patch
Description: Text Data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]