summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRichard Henderson2021-03-24 17:46:50 +0100
committerPaolo Bonzini2021-04-01 09:40:45 +0200
commit10b8eb94c0902b58d83df84a9eeae709a3480e82 (patch)
treedf819c641346b0c4914426ac69038ef12e395796
parentmeson: Propagate gnutls dependency to migration (diff)
downloadqemu-10b8eb94c0902b58d83df84a9eeae709a3480e82.tar.gz
qemu-10b8eb94c0902b58d83df84a9eeae709a3480e82.tar.xz
qemu-10b8eb94c0902b58d83df84a9eeae709a3480e82.zip
target/i386: Verify memory operand for lcall and ljmp
These two opcodes only allow a memory operand. Lacking the check for a register operand, we used the A0 temp without initialization, which led to a tcg abort. Buglink: https://bugs.launchpad.net/qemu/+bug/1921138 Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Message-Id: <20210324164650.128608-1-richard.henderson@linaro.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat
-rw-r--r--target/i386/tcg/translate.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index af1faf9342..880bc45561 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -5061,6 +5061,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
gen_jr(s, s->T0);
break;
case 3: /* lcall Ev */
+ if (mod == 3) {
+ goto illegal_op;
+ }
gen_op_ld_v(s, ot, s->T1, s->A0);
gen_add_A0_im(s, 1 << ot);
gen_op_ld_v(s, MO_16, s->T0, s->A0);
@@ -5088,6 +5091,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
gen_jr(s, s->T0);
break;
case 5: /* ljmp Ev */
+ if (mod == 3) {
+ goto illegal_op;
+ }
gen_op_ld_v(s, ot, s->T1, s->A0);
gen_add_A0_im(s, 1 << ot);
gen_op_ld_v(s, MO_16, s->T0, s->A0);
generated by cgit v1.2.3-55-g7522 (git 2.39.0) at 2025-04-21 13:14:34 +0200