From patchwork Fri Jan 30 12:36:01 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kirill Batuzov <batuzovk@ispras.ru>
X-Patchwork-Id: 434845
Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 72A7A1402AE
	for <incoming@patchwork.ozlabs.org>;
	Fri, 30 Jan 2015 23:36:39 +1100 (AEDT)
Received: from localhost ([::1]:36389 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>)
	id 1YHAoP-0004ES-Nt
	for incoming@patchwork.ozlabs.org; Fri, 30 Jan 2015 07:36:37 -0500
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51448)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <batuzovk@ispras.ru>) id 1YHAo4-0003y0-M4
	for qemu-devel@nongnu.org; Fri, 30 Jan 2015 07:36:20 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <batuzovk@ispras.ru>) id 1YHAo0-0000VN-LE
	for qemu-devel@nongnu.org; Fri, 30 Jan 2015 07:36:16 -0500
Received: from smtp.ispras.ru ([83.149.199.79]:33492)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <batuzovk@ispras.ru>) id 1YHAo0-0000VH-Dw
	for qemu-devel@nongnu.org; Fri, 30 Jan 2015 07:36:12 -0500
Received: from bulbul.intra.ispras.ru (unknown [83.149.199.91])
	by smtp.ispras.ru (Postfix) with ESMTP id CD5B321EFA;
	Fri, 30 Jan 2015 15:36:09 +0300 (MSK)
From: Kirill Batuzov <batuzovk@ispras.ru>
To: qemu-devel@nongnu.org
Date: Fri, 30 Jan 2015 15:36:01 +0300
Message-Id: <1422621361-23408-1-git-send-email-batuzovk@ispras.ru>
X-Mailer: git-send-email 1.7.10.4
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 83.149.199.79
Cc: Peter Maydell <peter.maydell@linaro.org>,
	Kirill Batuzov <batuzovk@ispras.ru>
Subject: [Qemu-devel] [PATCH] target-arm: check that LSB <= MSB in BFI
	instruction
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

The documentation states that if LSB > MSB in BFI instruction behaviour
is unpredictable. Currently QEMU crashes because of assertion failure in
this case:

tcg/tcg-op.h:2061: tcg_gen_deposit_i32: Assertion `len <= 32' failed.

While assertion failure may meet the "unpredictable" definition this
behaviour is undesirable because it allows an unprivileged guest program
to crash the emulator with the OS and other programs.

This patch addresses the issue by throwing illegal instruction exception
if LSB > MSB. Only ARM decoder is affected because Thumb decoder already
has this check in place.

To reproduce issue run the following program

int main(void) {
    asm volatile (".long 0x07c00c12" :: );
    return 0;
}

compiled with
  gcc -marm -static badop_arm.c -o badop_arm

Signed-off-by: Kirill Batuzov <batuzovk@ispras.ru>
---
 target-arm/translate.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/target-arm/translate.c b/target-arm/translate.c
index bdfcdf1..2821289 100644
--- a/target-arm/translate.c
+++ b/target-arm/translate.c
@@ -8739,6 +8739,8 @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
                         ARCH(6T2);
                         shift = (insn >> 7) & 0x1f;
                         i = (insn >> 16) & 0x1f;
+                        if (i < shift)
+                            goto illegal_op;
                         i = i + 1 - shift;
                         if (rm == 15) {
                             tmp = tcg_temp_new_i32();