On 2/23/22 04:33, wli...@stu.xidian.edu.cn wrote:
Hi all,
I find a potential Use-after-free bug in QEMU 6.2.0, which is in
handle_simd_shift_fpint_conv()(./target/arm/translate-a64.c).
At line 9048, a variable 'tcg_fpstatus' is freed by invoking tcg_temp_free_ptr(). However,
at line 9050, the variable 'tcg_fpstatus' is subsequently use as the 3rd parameter of the
function gen_helper_set_rmode. This may result in a use-after-free bug.
9048 tcg_temp_free_ptr(tcg_fpstatus);
9049 tcg_temp_free_i32(tcg_shift);
9050 gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
I believe the bug can be fixed by invoking the gen_helper_set_rmode() before
'tcg_fpstatus' being freed by the tcg_temp_free_ptr().
--- tcg_temp_free_ptr(tcg_fpstatus);
9049 tcg_temp_free_i32(tcg_shift);
9050 gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
+++ tcg_temp_free_ptr(tcg_fpstatus);
I'm looking forward to your confirmation.
The fix is correct. We just need the submission formatted properly, with your
Signed-off-by tag. When re-formatting, you can add my
Reviewed-by: Richard Henderson <richard.hender...@linaro.org>
r~
