[PATCH 5/5] target/riscv/cpu_helper.c: fix bad_shift in riscv_cpu

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH 5/5] target/riscv/cpu_helper.c: fix bad_shift in riscv_cpu_interr

From:	Daniel Henrique Barboza
Subject:	[PATCH 5/5] target/riscv/cpu_helper.c: fix bad_shift in riscv_cpu_interrupt()
Date:	Tue, 21 Jan 2025 15:48:47 -0300

Coverity reported a BAD_SHIFT issue in the following code:

 > 2097
 >>>>      CID 1590355:  Integer handling issues  (BAD_SHIFT)
 >>>>      In expression "hdeleg >> cause", right shifting by more than 63
       bits has undefined behavior.  The shift amount, "cause", is at least 64.
 > 2098         vsmode_exc = env->virt_enabled && (((hdeleg >> cause) & 1) || 
 > vs_injected);
 > 2099         /*

It is not clear to me how the tool guarantees that '"cause" is at least
64', but indeed there's no guarantees that it would be < 64 in the
'async = true' code path.

A simple fix to avoid a potential UB is to add a 'cause < 64' guard like
'mode' is already doing right before 'vsmode_exc'.

Resolves: Coverity CID 1590355
Fixes: 967760f62c ("target/riscv: Implement Ssdbltrp exception handling")
Signed-off-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
---
 target/riscv/cpu_helper.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index e1dfc4ecbf..64d1d68550 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -2095,7 +2095,9 @@ void riscv_cpu_do_interrupt(CPUState *cs)
     mode = env->priv <= PRV_S && cause < 64 &&
         (((deleg >> cause) & 1) || s_injected || vs_injected) ? PRV_S : PRV_M;
 
-    vsmode_exc = env->virt_enabled && (((hdeleg >> cause) & 1) || vs_injected);
+    vsmode_exc = env->virt_enabled && cause < 64 &&
+        (((hdeleg >> cause) & 1) || vs_injected);
+
     /*
      * Check double trap condition only if already in S-mode and targeting
      * S-mode
-- 
2.47.1

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH 0/5] target/riscv: Coverity fixes, Daniel Henrique Barboza, 2025/01/21
- [PATCH 1/5] target/riscv/csr.c: fix deadcode in rmw_xireg(), Daniel Henrique Barboza, 2025/01/21
  - Re: [PATCH 1/5] target/riscv/csr.c: fix deadcode in rmw_xireg(), Alistair Francis, 2025/01/28
- [PATCH 2/5] target/riscv/csr.c: fix 'ret' deadcode in rmw_xireg(), Daniel Henrique Barboza, 2025/01/21
  - Re: [PATCH 2/5] target/riscv/csr.c: fix 'ret' deadcode in rmw_xireg(), Alistair Francis, 2025/01/28
- [PATCH 3/5] target/riscv/csr.c: fix deadcode in rmw_xiregi(), Daniel Henrique Barboza, 2025/01/21
  - Re: [PATCH 3/5] target/riscv/csr.c: fix deadcode in rmw_xiregi(), Alistair Francis, 2025/01/28
- [PATCH 4/5] target/riscv/csr.c: fix deadcode in aia_smode32(), Daniel Henrique Barboza, 2025/01/21
  - Re: [PATCH 4/5] target/riscv/csr.c: fix deadcode in aia_smode32(), Alistair Francis, 2025/01/28
- [PATCH 5/5] target/riscv/cpu_helper.c: fix bad_shift in riscv_cpu_interrupt(), Daniel Henrique Barboza <=
  - Re: [PATCH 5/5] target/riscv/cpu_helper.c: fix bad_shift in riscv_cpu_interrupt(), Alistair Francis, 2025/01/28
- Re: [PATCH 0/5] target/riscv: Coverity fixes, Alistair Francis, 2025/01/28

Prev by Date: [PATCH 4/5] target/riscv/csr.c: fix deadcode in aia_smode32()
Next by Date: Re: [PATCH 08/11] hw/core/generic-loader: Prefer cached CpuClass over CPU_GET_CLASS macro
Previous by thread: Re: [PATCH 4/5] target/riscv/csr.c: fix deadcode in aia_smode32()
Next by thread: Re: [PATCH 5/5] target/riscv/cpu_helper.c: fix bad_shift in riscv_cpu_interrupt()
Index(es):
- Date
- Thread