From nobody Sat May 18 15:49:42 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1579763199; cv=none; d=zohomail.com; s=zohoarc; b=mCv2eGMb3gqR+k4CN2wbdMmDvny7KyEITO/KVycPPHHFMNVt4WoTpJvuYSacxjItdHpola5XDwWlFKgr8tJ6XfCOPqsQ/x90/LYBmf9DnAIIKBYG8DRWH6fRoKlNtd8TaNQGgsDOgMsQEdcXWQ6KH+jXx5dX5qab34m6FlgnOWQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1579763199; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:Message-ID:Sender:Subject:To; bh=ho4EuNIwz+qMZz8j+k0hSslfeZ7b0IRZyFcFFkVc2Jk=; b=JoZt/OMp0NKjcrb0D4rHaYg0im5FTsYTAvoAsgejIJHvB3hTjyIzRvY0TDFNn0LmKeU7SiLgZ6MhNhJc22CbKIRnWR8EW9b71acJ7z8b0j0wJoKjhTZzuVkH79KNCmNOGtXmnqQiCZODOpQayQnoybP4PzNhtk8rq8jWMnxoNro= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 15797631992405.377872687580634; Wed, 22 Jan 2020 23:06:39 -0800 (PST) Received: from localhost ([::1]:51968 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iuWZZ-0004se-DT for importer@patchew.org; Thu, 23 Jan 2020 02:06:37 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:35698) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iuWYl-0004N9-L3 for qemu-devel@nongnu.org; Thu, 23 Jan 2020 02:05:48 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iuWYj-0002lw-He for qemu-devel@nongnu.org; Thu, 23 Jan 2020 02:05:46 -0500 Received: from us-smtp-1.mimecast.com ([205.139.110.61]:32412 helo=us-smtp-delivery-1.mimecast.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iuWYj-0002lE-D5 for qemu-devel@nongnu.org; Thu, 23 Jan 2020 02:05:45 -0500 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-140-eq38vSVwNI246i07EAgrHQ-1; Thu, 23 Jan 2020 02:05:42 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 24A8E10054E3; Thu, 23 Jan 2020 07:05:41 +0000 (UTC) Received: from thuth.com (ovpn-116-64.ams2.redhat.com [10.36.116.64]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5BD9C60BE0; Thu, 23 Jan 2020 07:05:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1579763144; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=ho4EuNIwz+qMZz8j+k0hSslfeZ7b0IRZyFcFFkVc2Jk=; b=VWntzjpO5X/A930r/qpBP5+kv+ET/C3FJEAAL3M6vDdYJy8EQBlISdjXltSHSkWwmb1CQC zud2KdT0D9l2JUPav7cw+K2C0wCnPvZmhF6LKlryh3NPwKOCWOw08mkqC/t50dHXpSQivL 00SvVvRGk0arOYFzU+w5Qs43gHdGX0k= From: Thomas Huth To: qemu-devel@nongnu.org, Richard Henderson , David Hildenbrand Subject: [PATCH] target/s390x/translate: Do not leak stack address in translate_one() Date: Thu, 23 Jan 2020 08:05:33 +0100 Message-Id: <20200123070533.19699-1-thuth@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-MC-Unique: eq38vSVwNI246i07EAgrHQ-1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 205.139.110.61 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-s390x@nongnu.org, Cornelia Huck Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail-DKIM: pass (identity @redhat.com) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" The code in translate_one() leaks a stack address via "s->field" parameter: static DisasJumpType translate_one(CPUS390XState *env, DisasContext *s) { DisasJumpType ret =3D DISAS_NEXT; DisasFields f; [...] s->fields =3D &f; [...] return ret; } It's currently harmless since the caller does not seem to use "fields" anymore, but let's better play safe (and please static code analyzers) by setting the fields back to NULL before returning. Buglink: https://bugs.launchpad.net/qemu/+bug/1661815 Signed-off-by: Thomas Huth Reviewed-by: David Hildenbrand --- target/s390x/translate.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/target/s390x/translate.c b/target/s390x/translate.c index 4292bb0dd0..9122fb36da 100644 --- a/target/s390x/translate.c +++ b/target/s390x/translate.c @@ -6435,6 +6435,8 @@ static DisasJumpType translate_one(CPUS390XState *env= , DisasContext *s) } #endif =20 + s->fields =3D NULL; + /* Advance to the next instruction. */ s->base.pc_next =3D s->pc_tmp; return ret; --=20 2.18.1