On 2020/3/14 12:28, Richard Henderson wrote:
On 3/12/20 7:58 AM, LIU Zhiwei wrote:
+ static gen_helper_amo *const fnsw[9] = {
...
+ static gen_helper_amo *const fnsd[18] = {
...
+ fn = fnsw[seq];
+#ifdef TARGET_RISCV64
+ if (s->sew == 3) {
+ fn = fnsd[seq];
+
+#endif
This indexing is wrong, since for seq == 11 you index past the end of fnsw[].
Yes, it really a security bug. Thanks for pointing that.
Zhiwei
You need something like
if (s->sew == 3) {
#ifdef TARGET_RISCV64
fn = fnsd[seq];
#else
/* Check done in amo_check(). */
g_assert_not_reached();
#endif
} else {
fn = fnsw[seq];
}
Otherwise it looks ok.
r~
