When translating  "imask" instruction of Tricore architecture, QEMU did not check whether the register index was out of bounds, resulting in a global-buffer-overflow.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1698
Reported-by: Siqi Chen <coc.cyqh@gmail.com>
Signed-off-by: Siqi Chen <coc.cyqh@gmail.com>
---
 target/tricore/translate.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target/tricore/translate.c b/target/tricore/translate.c
index cd33a1dcdd..3b8d3f53ee 100644
--- a/target/tricore/translate.c
+++ b/target/tricore/translate.c
@@ -5331,6 +5331,7 @@ static void decode_rcrw_insert(DisasContext *ctx)
 
     switch (op2) {
     case OPC2_32_RCRW_IMASK:
+        CHECK_REG_PAIR(r4);
         tcg_gen_andi_tl(temp, cpu_gpr_d[r3], 0x1f);
         tcg_gen_movi_tl(temp2, (1 << width) - 1);
         tcg_gen_shl_tl(cpu_gpr_d[r4 + 1], temp2, temp);
-- 
2.34.1

On Mon, Jun 12, 2023 at 02:56:33PM +0800, Siqi Chen wrote:
> When translating  "imask" instruction of Tricore architecture, QEMU did not check whether the register index was out of bounds, resulting in a global-buffer-overflow.
> 
> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1698
> Reported-by: Siqi Chen <coc.cyqh@gmail.com>
> Signed-off-by: Siqi Chen <coc.cyqh@gmail.com>
> ---
>  target/tricore/translate.c | 1 +
>  1 file changed, 1 insertion(+)

Reviewed-by: Bastian Koppelmann <kbastian@mail.uni-paderborn.de>

Cheers,
Bastian