mirrors/qemu
0
0
Fork 0
mirror of https://github.com/qemu/qemu.git synced 2024-11-25 03:43:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

target-s390x: fix possible out of bounds read

Browse Source 
Array index starts at 0, so the valid index of ext_queue array,
io_queue array, mchk_queue array should be MAX_EXT_QUEUE - 1,
MAX_IO_QUEUE - 1, MAX_MCHK_QUEUE - 1.

The original checks missed the invalid bound value, which will lead
possible out of bounds read in the follow codes.

Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
This commit is contained in:
zhanghailiang 2014-11-24 10:47:45 +08:00 committed by Michael Tokarev
parent b5369dd841
commit 1a71992376
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
target-s390x/helper.c
View File

@ -648,7 +648,7 @@ static void do_ext_interrupt(CPUS390XState *env)
cpu_abort(CPU(cpu), "Ext int w/o ext mask\n");
}
if (env->ext_index < 0 || env->ext_index > MAX_EXT_QUEUE) {
if (env->ext_index < 0 || env->ext_index >= MAX_EXT_QUEUE) {
cpu_abort(CPU(cpu), "Ext queue overrun: %d\n", env->ext_index);
}
@ -696,7 +696,7 @@ static void do_io_interrupt(CPUS390XState *env)
if (env->io_index[isc] < 0) {
continue;
}
if (env->io_index[isc] > MAX_IO_QUEUE) {
if (env->io_index[isc] >= MAX_IO_QUEUE) {
cpu_abort(CPU(cpu), "I/O queue overrun for isc %d: %d\n",
isc, env->io_index[isc]);
}
@ -754,7 +754,7 @@ static void do_mchk_interrupt(CPUS390XState *env)
cpu_abort(CPU(cpu), "Machine check w/o mchk mask\n");
}
if (env->mchk_index < 0 || env->mchk_index > MAX_MCHK_QUEUE) {
if (env->mchk_index < 0 || env->mchk_index >= MAX_MCHK_QUEUE) {
cpu_abort(CPU(cpu), "Mchk queue overrun: %d\n", env->mchk_index);
}