On 24/03/21 17:46, Richard Henderson wrote:
> These two opcodes only allow a memory operand.
>
> Lacking the check for a register operand, we used the A0 temp
> without initialization, which led to a tcg abort.
>
> Buglink: https://bugs.launchpad.net/qemu/+bug/1921138
> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
> ---
> target/i386/tcg/translate.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
> index af1faf9342..880bc45561 100644
> --- a/target/i386/tcg/translate.c
> +++ b/target/i386/tcg/translate.c
> @@ -5061,6 +5061,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
> gen_jr(s, s->T0);
> break;
> case 3: /* lcall Ev */
> + if (mod == 3) {
> + goto illegal_op;
> + }
> gen_op_ld_v(s, ot, s->T1, s->A0);
> gen_add_A0_im(s, 1 << ot);
> gen_op_ld_v(s, MO_16, s->T0, s->A0);
> @@ -5088,6 +5091,9 @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
> gen_jr(s, s->T0);
> break;
> case 5: /* ljmp Ev */
> + if (mod == 3) {
> + goto illegal_op;
> + }
> gen_op_ld_v(s, ot, s->T1, s->A0);
> gen_add_A0_im(s, 1 << ot);
> gen_op_ld_v(s, MO_16, s->T0, s->A0);
>
Acked-by: Paolo Bonzini <pbonzini@redhat.com>