[Stable-8.2.9 19/45] target/riscv: Avoid bad shift in riscv_cpu_do

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Stable-8.2.9 19/45] target/riscv: Avoid bad shift in riscv_cpu_do_inter

From:	Michael Tokarev
Subject:	[Stable-8.2.9 19/45] target/riscv: Avoid bad shift in riscv_cpu_do_interrupt()
Date:	Mon, 27 Jan 2025 23:26:00 +0300

In riscv_cpu_do_interrupt() we use the 'cause' value we got out of
cs->exception as a shift value.  However this value can be larger
than 31, which means that "1 << cause" is undefined behaviour,
because we do the shift on an 'int' type.

This causes the undefined behaviour sanitizer to complain
on one of the check-tcg tests:

$ UBSAN_OPTIONS=print_stacktrace=1:abort_on_error=1:halt_on_error=1 
./build/clang/qemu-system-riscv64 -M virt -semihosting -display none -device 
loader,file=build/clang/tests/tcg/riscv64-softmmu/issue1060
../../target/riscv/cpu_helper.c:1805:38: runtime error: shift exponent 63 is 
too large for 32-bit type 'int'
    #0 0x55f2dc026703 in riscv_cpu_do_interrupt 
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/clang/../../target/riscv/cpu_helper.c:1805:38
    #1 0x55f2dc3d170e in cpu_handle_exception 
/mnt/nvmedisk/linaro/qemu-from-laptop/qemu/build/clang/../../accel/tcg/cpu-exec.c:752:9

In this case cause is RISCV_EXCP_SEMIHOST, which is 0x3f.

Use 1ULL instead to ensure that the shift is in range.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Fixes: 1697837ed9 ("target/riscv: Add M-mode virtual interrupt and IRQ 
filtering support.")
Fixes: 40336d5b1d ("target/riscv: Add HS-mode virtual interrupt and IRQ 
filtering support.")
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-ID: <20241128103831.3452572-1-peter.maydell@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
(cherry picked from commit 5311599cdc48337f2f27b1b51a80d46d75b05ed0)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>

diff --git a/target/riscv/cpu_helper.c b/target/riscv/cpu_helper.c
index 62dda4f284..7fb2185863 100644
--- a/target/riscv/cpu_helper.c
+++ b/target/riscv/cpu_helper.c
@@ -1646,10 +1646,10 @@ void riscv_cpu_do_interrupt(CPUState *cs)
     bool async = !!(cs->exception_index & RISCV_EXCP_INT_FLAG);
     target_ulong cause = cs->exception_index & RISCV_EXCP_INT_MASK;
     uint64_t deleg = async ? env->mideleg : env->medeleg;
-    bool s_injected = env->mvip & (1 << cause) & env->mvien &&
-        !(env->mip & (1 << cause));
-    bool vs_injected = env->hvip & (1 << cause) & env->hvien &&
-        !(env->mip & (1 << cause));
+    bool s_injected = env->mvip & (1ULL << cause) & env->mvien &&
+        !(env->mip & (1ULL << cause));
+    bool vs_injected = env->hvip & (1ULL << cause) & env->hvien &&
+        !(env->mip & (1ULL << cause));
     target_ulong tval = 0;
     target_ulong tinst = 0;
     target_ulong htval = 0;
-- 
2.39.5

[Prev in Thread]

Current Thread

[Next in Thread]

[Stable-8.2.9 12/45] 9pfs: remove obsolete comment in v9fs_getattr(), (continued)
- [Stable-8.2.9 12/45] 9pfs: remove obsolete comment in v9fs_getattr(), Michael Tokarev, 2025/01/28
- [Stable-8.2.9 13/45] 9pfs: fix 'Tgetattr' after unlink, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 14/45] tests/9p: also check 'Tgetattr' in 'use-after-unlink' test, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 15/45] target/ppc: Fix non-maskable interrupt while halted, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 18/45] hw/openrisc/openrisc_sim: keep serial@90000000 as default, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 17/45] hw/nvme: take a reference on the subsystem on vf realization, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 16/45] hw/nvme: fix msix_uninit with exclusive bar, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 20/45] Update FreeBSD CI jobs FreeBSD 14.1, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 21/45] .gitlab-ci.d/cirrus: Remove the netbsd and openbsd jobs, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 23/45] 9pfs: fix regression regarding CVE-2023-2861, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 19/45] target/riscv: Avoid bad shift in riscv_cpu_do_interrupt(), Michael Tokarev <=
- [Stable-8.2.9 22/45] .gitlab-ci.d/cirrus: Drop support for macOS 13 (Ventura), Michael Tokarev, 2025/01/28
- [Stable-8.2.9 25/45] fuzz: specify audiodev for usb-audio, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 24/45] tcg/riscv: Fix StoreStore barrier generation, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 26/45] x86/loader: only patch linux kernels, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 27/45] edk2: get version + date from git submodule, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 28/45] edk2: commit version info, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 30/45] hw/intc/arm_gicv3_its: Zero initialize local DTEntry etc structs, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 29/45] roms: re-add edk2-basetools target, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 31/45] meson.build: Disallow libnfs v6 to fix the broken macOS build, Michael Tokarev, 2025/01/28
- [Stable-8.2.9 33/45] s390x/s390-virtio-ccw: don't crash on weird RAM sizes, Michael Tokarev, 2025/01/28

Prev by Date: [Stable-8.2.9 23/45] 9pfs: fix regression regarding CVE-2023-2861
Next by Date: [Stable-8.2.9 22/45] .gitlab-ci.d/cirrus: Drop support for macOS 13 (Ventura)
Previous by thread: [Stable-8.2.9 23/45] 9pfs: fix regression regarding CVE-2023-2861
Next by thread: [Stable-8.2.9 22/45] .gitlab-ci.d/cirrus: Drop support for macOS 13 (Ventura)
Index(es):
- Date
- Thread