| Message ID | 1433371964-130944-1-git-send-email-agraf@suse.de |
|---|---|
| State | New |
| Headers | show |
On 2015-06-04 00:52, Alexander Graf wrote: > We allocate ram_size / PAGE_SIZE storage keys, so we need to make sure that > we only access that many. Unfortunately the code can overrun this array by > one, potentially overwriting unrelated memory. > > Fix it by limiting storage keys to their scope. > > Signed-off-by: Alexander Graf <agraf@suse.de> > --- > target-s390x/mmu_helper.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/target-s390x/mmu_helper.c b/target-s390x/mmu_helper.c > index e8dcd0c..815ff42 100644 > --- a/target-s390x/mmu_helper.c > +++ b/target-s390x/mmu_helper.c > @@ -358,7 +358,7 @@ int mmu_translate(CPUS390XState *env, target_ulong vaddr, int rw, uint64_t asc, > /* Convert real address -> absolute address */ > *raddr = mmu_real2abs(env, *raddr); > > - if (*raddr <= ram_size) { > + if (*raddr < ram_size) { > sk = &env->storage_keys[*raddr / TARGET_PAGE_SIZE]; > if (*flags & PAGE_READ) { > *sk |= SK_R; Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
diff --git a/target-s390x/mmu_helper.c b/target-s390x/mmu_helper.c index e8dcd0c..815ff42 100644 --- a/target-s390x/mmu_helper.c +++ b/target-s390x/mmu_helper.c @@ -358,7 +358,7 @@ int mmu_translate(CPUS390XState *env, target_ulong vaddr, int rw, uint64_t asc, /* Convert real address -> absolute address */ *raddr = mmu_real2abs(env, *raddr); - if (*raddr <= ram_size) { + if (*raddr < ram_size) { sk = &env->storage_keys[*raddr / TARGET_PAGE_SIZE]; if (*flags & PAGE_READ) { *sk |= SK_R;
We allocate ram_size / PAGE_SIZE storage keys, so we need to make sure that we only access that many. Unfortunately the code can overrun this array by one, potentially overwriting unrelated memory. Fix it by limiting storage keys to their scope. Signed-off-by: Alexander Graf <agraf@suse.de> --- target-s390x/mmu_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)