On Thu, Jun 22, 2023 at 10:43:16AM +0300, Michael Tokarev wrote: > 21.06.2023 19:14, Bastian Koppelmann wrote: > > From: Siqi Chen <coc.c...@gmail.com> > > > > When translating "imask" instruction of Tricore architecture, QEMU did not > > check whether the register index was out of bounds, resulting in a > > global-buffer-overflow. > > > > Reviewed-by: Bastian Koppelmann <kbast...@mail.uni-paderborn.de> > > Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1698 > > Reported-by: Siqi Chen <coc.c...@gmail.com> > > Signed-off-by: Siqi Chen <coc.c...@gmail.com> > > Signed-off-by: Bastian Koppelmann <kbast...@mail.uni-paderborn.de> > > Message-Id: <20230612065633.149152-1-coc.c...@gmail.com> > > Message-Id: <20230612113245.56667-2-kbast...@mail.uni-paderborn.de> > > --- > > target/tricore/translate.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/target/tricore/translate.c b/target/tricore/translate.c > > index 6712d98f6e..74faad4794 100644 > > --- a/target/tricore/translate.c > > +++ b/target/tricore/translate.c > > @@ -5339,6 +5339,7 @@ static void decode_rcrw_insert(DisasContext *ctx) > > switch (op2) { > > case OPC2_32_RCRW_IMASK: > > + CHECK_REG_PAIR(r4); > > tcg_gen_andi_tl(temp, cpu_gpr_d[r3], 0x1f); > > tcg_gen_movi_tl(temp2, (1 << width) - 1); > > tcg_gen_shl_tl(cpu_gpr_d[r4 + 1], temp2, temp); > > Is it a -stable material?
Yes. If you pick this up, make sure you also pick up https://lore.kernel.org/qemu-devel/20230621161422.1652151-1-kbast...@mail.uni-paderborn.de/T/#md18391dd165c4fc2e60ddefb886f3522e715f487 which applies the same fix to other instructions. Cheers, Bastian