A Null Pointer Dereference Bug #290
Description
We find a NPD bug in function ppc32_icbi
First, the function ppc32_jit_find_by_phys_page may return a NULL value.
static inline ppc32_jit_tcb_t *
ppc32_jit_find_by_phys_page(cpu_ppc_t *cpu,m_uint32_t phys_page)
{
m_uint32_t page_hash = ppc32_jit_get_phys_hash(phys_page);
ppc32_jit_tcb_t *block;
for(block=cpu->exec_phys_map[page_hash];block;block=block->phys_next)
if (block->phys_page == phys_page)
return block;
return NULL;
}Then in function ppc32_icbi, if DEBUG_ICBI is defined and block is NULL, there would be a NULL pointer dereference bug.
void ppc32_icbi(cpu_ppc_t *cpu,m_uint32_t vaddr,u_int op)
{
ppc32_jit_tcb_t *block;
m_uint32_t phys_page;
#if DEBUG_ICBI
cpu_log(cpu->gen,"MTS","ICBI: ia=0x%8.8x, vaddr=0x%8.8x\n",cpu->ia,vaddr);
#endif
if (!cpu->translate(cpu,vaddr,PPC32_MTS_ICACHE,&phys_page)) {
if (cpu->exec_phys_map) {
block = ppc32_jit_find_by_phys_page(cpu,phys_page);
if (block && (block->start_ia == (vaddr & PPC32_MIN_PAGE_MASK))) {
#if DEBUG_ICBI
cpu_log(cpu->gen,"MTS",
"ICBI: removing compiled page at 0x%8.8x, pc=0x%8.8x\n",
block->start_ia,cpu->ia);
#endif
ppc32_jit_tcb_free(cpu,block,TRUE);
cpu->exec_blk_map[ppc32_jit_get_ia_hash(vaddr)] = NULL;
}
else
{
#if DEBUG_ICBI
cpu_log(cpu->gen,"MTS",
"ICBI: trying to remove page 0x%llx with pc=0x%llx\n",
block->start_ia,cpu->is); //NPD here
#endif
}
}
}
}