Hi all,
I find a potential Use-after-free bug in QEMU 6.2.0, which is in
handle_simd_shift_fpint_conv()(./target/arm/translate-a64.c).
At line 9048, a variable 'tcg_fpstatus' is freed by invoking
tcg_temp_free_ptr(). However, at line 9050, the variable 'tcg_fpstatus' is
subsequently use as the 3rd parameter of the function gen_helper_set_rmode.
This may result in a use-after-free bug.
9048 tcg_temp_free_ptr(tcg_fpstatus);
9049 tcg_temp_free_i32(tcg_shift);
9050 gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
I believe the bug can be fixed by invoking the gen_helper_set_rmode() before
'tcg_fpstatus' being freed by the tcg_temp_free_ptr().
--- tcg_temp_free_ptr(tcg_fpstatus);
9049 tcg_temp_free_i32(tcg_shift);
9050 gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
+++ tcg_temp_free_ptr(tcg_fpstatus);
I'm looking forward to your confirmation.
Best,
Wentao
--- ./target/arm/translate-a64.c 2022-02-23 15:06:32.212756633 +0800
+++ ./target/arm/translate-a64-PATCH.c 2022-02-23 21:13:15.604128138 +0800
@@ -9045,9 +9045,9 @@
}
}
- tcg_temp_free_ptr(tcg_fpstatus);
tcg_temp_free_i32(tcg_shift);
gen_helper_set_rmode(tcg_rmode, tcg_rmode, tcg_fpstatus);
+ tcg_temp_free_ptr(tcg_fpstatus);
tcg_temp_free_i32(tcg_rmode);
}
