qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fix a potential Use-after-free bug in handle_simd_shift_fpint_conv()

From: Richard Henderson
Subject: Re: Fix a potential Use-after-free bug in handle_simd_shift_fpint_conv() (v6.2.0).
Date: Wed, 23 Feb 2022 09:13:33 -1000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 
On 2/23/22 04:33, wliang@stu.xidian.edu.cn wrote:


Hi all,
I find a potential Use-after-free bug in QEMU 6.2.0, which is in handle_simd_shift_fpint_conv()(./target/arm/translate-a64.c).
At line 9048, a variable 'tcg_fpstatus' is freed by invoking tcg_temp_free_ptr(). However, at line 9050, the variable 'tcg_fpstatus' is subsequently use as the 3rd parameter of the function gen_helper_set_rmode. This may result in a use-after-free bug. 


9048    tcg_temp_free_ptr(tcg_fpstatus);
9049    tcg_temp_free_i32(tcg_shift);
9050    gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
I believe the bug can be fixed by invoking the gen_helper_set_rmode() before 'tcg_fpstatus' being freed by the tcg_temp_free_ptr(). 


  ---    tcg_temp_free_ptr(tcg_fpstatus);
9049    tcg_temp_free_i32(tcg_shift);
9050    gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
  +++    tcg_temp_free_ptr(tcg_fpstatus);

I'm looking forward to your confirmation.
The fix is correct. We just need the submission formatted properly, with your Signed-off-by tag. When re-formatting, you can add my 

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>


r~
reply via email to
[Prev in Thread] Current Thread [Next in Thread]