Global-buffer-overflow in QEMU TirCore TCG
Description
When translating "imask" instruction of Tricore architecture, QEMU did not check whether the register index was out of bounds, resulting in a global-buffer-overflow.
Crash Details
==86292==ERROR: AddressSanitizer: global-buffer-overflow on address 0x559a2cf21440 at pc 0x559a2a8b3dc0 bp 0x7f9f90ffbd70 sp 0x7f9f90ffbd60
READ of size 8 at 0x559a2cf21440 thread T2
#0 0x559a2a8b3dbf in decode_rcrw_insert ../target/tricore/translate.c:5335
#1 0x559a2a97565d in decode_32Bit_opc ../target/tricore/translate.c:8128
#2 0x559a2a97565d in tricore_tr_translate_insn ../target/tricore/translate.c:8307
#3 0x559a2ab1487a in translator_loop ../accel/tcg/translator.c:184
#4 0x559a2a980f96 in gen_intermediate_code ../target/tricore/translate.c:8359
#5 0x559a2ab0ede8 in setjmp_gen_code ../accel/tcg/translate-all.c:288
#6 0x559a2ab0fd6d in tb_gen_code ../accel/tcg/translate-all.c:382
#7 0x559a2aae6cae in cpu_exec_loop ../accel/tcg/cpu-exec.c:971
#8 0x559a2aae9509 in cpu_exec_setjmp ../accel/tcg/cpu-exec.c:1036
#9 0x559a2aae9871 in cpu_exec ../accel/tcg/cpu-exec.c:1062
#10 0x559a2ab64578 in tcg_cpus_exec ../accel/tcg/tcg-accel-ops.c:81
#11 0x559a2ab66468 in rr_cpu_thread_fn ../accel/tcg/tcg-accel-ops-rr.c:261
#12 0x559a2b177f74 in qemu_thread_start ../util/qemu-thread-posix.c:541
#13 0x7f9fd5294b42 in start_thread nptl/pthread_create.c:442
#14 0x7f9fd53269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
0x559a2cf21440 is located 32 bytes to the left of global variable 'cpu_gpr_a' defined in '../target/tricore/translate.c:49:13' (0x559a2cf21460) of size 128
0x559a2cf21440 is located 0 bytes to the right of global variable 'cpu_gpr_d' defined in '../target/tricore/translate.c:50:13' (0x559a2cf213c0) of size 128
SUMMARY: AddressSanitizer: global-buffer-overflow ../target/tricore/translate.c:5335 in decode_rcrw_insert
Shadow bytes around the buggy address:
0x0ab3c59dc230: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
0x0ab3c59dc240: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
0x0ab3c59dc250: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0ab3c59dc260: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0ab3c59dc270: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x0ab3c59dc280: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 00 00 00 00
0x0ab3c59dc290: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x0ab3c59dc2a0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0ab3c59dc2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ab3c59dc2c0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0ab3c59dc2d0: 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
Thread T2 created by T0 here:
#0 0x7f9fd6258685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x559a2b17bf52 in qemu_thread_create ../util/qemu-thread-posix.c:581
==86292==ABORTINGAnalysis
Function: decode_rcrw_insert
Code: tcg_gen_shl_tl(cpu_gpr_d[r4 + 1], temp2, temp);
Key instruction: d7 30 3f f0
r4+1 can exceed the maximum index of cpu_gpr_d.
Suggest Patch
Add CHECK_REG_PAIR(r4) before use r4+1. It seems there may be other similar problems.
Edited by Siqi Chen