From: Meador Inge <[email protected]> This small patch adds a sanity check when disassembling the BLX instruction. The use case came to light when doing toolchain development and a similar check was upstreamed for Binutils:
* https://sourceware.org/ml/binutils/2011-01/msg00077.html Patch by Nathan Sidwell. Signed-off-by: Meador Inge <[email protected]> --- target-arm/translate.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/target-arm/translate.c b/target-arm/translate.c index 69ac18c..fedc8f3 100644 --- a/target-arm/translate.c +++ b/target-arm/translate.c @@ -9912,6 +9912,12 @@ static int disas_thumb2_insn(CPUARMState *env, DisasContext *s, uint16_t insn_hw gen_jmp(s, offset); } else { /* blx */ + /* The instruction must have bit zero unset, even + though it is part of the offset. Real hardware + will abort, so we do too. */ + if (insn & 1) { + goto illegal_op; + } offset &= ~(uint32_t)2; /* thumb2 bx, no need to check */ gen_bx_im(s, offset); -- 1.8.1.1
