From patchwork Wed Jun 3 22:52:44 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Graf X-Patchwork-Id: 480292 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.gnu.org (lists.gnu.org [IPv6:2001:4830:134:3::11]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 784FD1402A0 for ; Thu, 4 Jun 2015 08:53:15 +1000 (AEST) Received: from localhost ([::1]:39241 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z0HX5-0003qO-IF for incoming@patchwork.ozlabs.org; Wed, 03 Jun 2015 18:53:11 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33465) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z0HWm-0003PA-JV for qemu-devel@nongnu.org; Wed, 03 Jun 2015 18:52:53 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Z0HWg-0006eI-9T for qemu-devel@nongnu.org; Wed, 03 Jun 2015 18:52:52 -0400 Received: from cantor2.suse.de ([195.135.220.15]:55272 helo=mx2.suse.de) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Z0HWg-0006e5-32 for qemu-devel@nongnu.org; Wed, 03 Jun 2015 18:52:46 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id C78E5ABA5; Wed, 3 Jun 2015 22:52:44 +0000 (UTC) From: Alexander Graf To: qemu-devel@nongnu.org Date: Thu, 4 Jun 2015 00:52:44 +0200 Message-Id: <1433371964-130944-1-git-send-email-agraf@suse.de> X-Mailer: git-send-email 1.7.12.4 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x (no timestamps) [generic] X-Received-From: 195.135.220.15 Cc: aurelien@aurel32.net, rth@twiddle.net Subject: [Qemu-devel] [PATCH] target-s390x: Only access allocated storage keys X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org We allocate ram_size / PAGE_SIZE storage keys, so we need to make sure that we only access that many. Unfortunately the code can overrun this array by one, potentially overwriting unrelated memory. Fix it by limiting storage keys to their scope. Signed-off-by: Alexander Graf Reviewed-by: Aurelien Jarno --- target-s390x/mmu_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/target-s390x/mmu_helper.c b/target-s390x/mmu_helper.c index e8dcd0c..815ff42 100644 --- a/target-s390x/mmu_helper.c +++ b/target-s390x/mmu_helper.c @@ -358,7 +358,7 @@ int mmu_translate(CPUS390XState *env, target_ulong vaddr, int rw, uint64_t asc, /* Convert real address -> absolute address */ *raddr = mmu_real2abs(env, *raddr); - if (*raddr <= ram_size) { + if (*raddr < ram_size) { sk = &env->storage_keys[*raddr / TARGET_PAGE_SIZE]; if (*flags & PAGE_READ) { *sk |= SK_R;