target/tricore: Fix out-of-bounds index in imask instruction

When translating "imask" instruction of Tricore architecture, QEMU did not check whether the register index was out of bounds, resulting in a global-buffer-overflow. Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1698 Reported-by: Siqi Chen <coc.cyqh@gmail.com> Signed-off-by: Siqi Chen <coc.cyqh@gmail.com> Signed-off-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de> Message-Id: <20230612065633.149152-1-coc.cyqh@gmail.com> Message-Id: <20230612113245.56667-2-kbastian@mail.uni-paderborn.de> (cherry picked from commit d34b092) Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
qemu · Jun 23, 2023 · b9e1415 · b9e1415
1 parent 4553eee
commit b9e1415
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/target/tricore/translate.c b/target/tricore/translate.c
@@ -5327,6 +5327,7 @@ static void decode_rcrw_insert(DisasContext *ctx)
 
     switch (op2) {
     case OPC2_32_RCRW_IMASK:
+        CHECK_REG_PAIR(r4);
         tcg_gen_andi_tl(temp, cpu_gpr_d[r3], 0x1f);
         tcg_gen_movi_tl(temp2, (1 << width) - 1);
         tcg_gen_shl_tl(cpu_gpr_d[r4 + 1], temp2, temp);