target-s390x: Only access allocated storage keys

We allocate ram_size / PAGE_SIZE storage keys, so we need to make sure that we only access that many. Unfortunately the code can overrun this array by one, potentially overwriting unrelated memory. Fix it by limiting storage keys to their scope. Signed-off-by: Alexander Graf <agraf@suse.de> Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>

target-s390x: Only access allocated storage keys
We allocate ram_size / PAGE_SIZE storage keys, so we need to make sure that we only access that many. Unfortunately the code can overrun this array by one, potentially overwriting unrelated memory. Fix it by limiting storage keys to their scope. Signed-off-by: Alexander Graf <agraf@suse.de> Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
9814fed0 · Alexander Graf · 068593de · 9814fed0
Commit 9814fed0 authored 9 years ago by Alexander Graf
--- a/target-s390x/mmu_helper.c
+++ b/target-s390x/mmu_helper.c
@@ -358,7 +358,7 @@ int mmu_translate(CPUS390XState *env, target_ulong vaddr, int rw, uint64_t asc,
    /* Convert real address -> absolute address */
    *raddr = mmu_real2abs(env, *raddr);

-    if (*raddr <= ram_size) {
+    if (*raddr < ram_size) {
        sk = &env->storage_keys[*raddr / TARGET_PAGE_SIZE];
        if (*flags & PAGE_READ) {
            *sk |= SK_R;