On 7/22/25 03:18, gerben@altlinux.org wrote:
> From: Denis Rastyogin <gerben@altlinux.org>
>
> Cast len to long long before multiplying by TARGET_PAGE_SIZE
> when calculating btlb->itree.last to ensure 64-bit arithmetic
> and avoid potential overflow.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Signed-off-by: Denis Rastyogin <gerben@altlinux.org>
> ---
> target/hppa/mem_helper.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/target/hppa/mem_helper.c b/target/hppa/mem_helper.c
> index 9bdd0a6f23..0c196b5bfc 100644
> --- a/target/hppa/mem_helper.c
> +++ b/target/hppa/mem_helper.c
> @@ -766,7 +766,7 @@ void HELPER(diag_btlb)(CPUHPPAState *env)
>
> /* Create new BTLB entry */
> btlb->itree.start = virt_page << TARGET_PAGE_BITS;
> - btlb->itree.last = btlb->itree.start + len * TARGET_PAGE_SIZE - 1;
> + btlb->itree.last = btlb->itree.start + (long long) len * TARGET_PAGE_SIZE - 1;
> btlb->pa = phys_page << TARGET_PAGE_BITS;
> set_access_bits_pa11(env, btlb, env->gr[20]);
> btlb->t = 0;
(1) long long is always wrong.
(2) If there's truncation anywhere, it's in the type of len itself:
unsigned int len; len = env->gpr[21];
However, from the comment at the top of the function I deduce
this is a parisc-1.1 thing, where gprs are 32 bits, so this is
producing the correct result.
r~