diff options
| -rw-r--r-- | target-s390x/cpu.h | 1 | ||||
| -rw-r--r-- | target-s390x/mmu_helper.c | 29 |
2 files changed, 30 insertions, 0 deletions
diff --git a/target-s390x/cpu.h b/target-s390x/cpu.h index 95d0f3b601..556304241a 100644 --- a/target-s390x/cpu.h +++ b/target-s390x/cpu.h @@ -837,6 +837,7 @@ struct sysib_322 { #define _ASCE_TABLE_LENGTH 0x03 /* region table length */ #define _REGION_ENTRY_ORIGIN ~0xfffULL /* region/segment table origin */ +#define _REGION_ENTRY_TF 0xc0 /* region/segment table offset */ #define _REGION_ENTRY_INV 0x20 /* invalid region table entry */ #define _REGION_ENTRY_TYPE_MASK 0x0c /* region/segment table type mask */ #define _REGION_ENTRY_TYPE_R1 0x0c /* region first table type */ diff --git a/target-s390x/mmu_helper.c b/target-s390x/mmu_helper.c index 01d819e026..d4087ba3ce 100644 --- a/target-s390x/mmu_helper.c +++ b/target-s390x/mmu_helper.c @@ -171,6 +171,10 @@ static int mmu_translate_region(CPUS390XState *env, target_ulong vaddr, { CPUState *cs = CPU(s390_env_get_cpu(env)); uint64_t origin, offs, new_entry; + const int pchks[4] = { + PGM_SEGMENT_TRANS, PGM_REG_THIRD_TRANS, + PGM_REG_SEC_TRANS, PGM_REG_FIRST_TRANS + }; PTE_DPRINTF("%s: 0x%" PRIx64 "\n", __func__, entry); @@ -201,6 +205,15 @@ static int mmu_translate_region(CPUS390XState *env, target_ulong vaddr, rw); } + /* Check region table offset and length */ + offs = (vaddr >> (28 + 11 * (level - 4) / 4)) & 3; + if (offs < ((new_entry & _REGION_ENTRY_TF) >> 6) + || offs > (new_entry & _REGION_ENTRY_LENGTH)) { + DPRINTF("%s: invalid offset or len (%lx)\n", __func__, new_entry); + trigger_page_fault(env, vaddr, pchks[level / 4 - 1], asc, rw); + return -1; + } + /* yet another region */ return mmu_translate_region(env, vaddr, asc, new_entry, level - 4, raddr, flags, rw); @@ -238,6 +251,10 @@ static int mmu_translate_asc(CPUS390XState *env, target_ulong vaddr, level = asce & _ASCE_TYPE_MASK; switch (level) { case _ASCE_TYPE_REGION1: + if ((vaddr >> 62) > (asce & _ASCE_TABLE_LENGTH)) { + trigger_page_fault(env, vaddr, PGM_REG_FIRST_TRANS, asc, rw); + return -1; + } break; case _ASCE_TYPE_REGION2: if (vaddr & 0xffe0000000000000ULL) { @@ -246,6 +263,10 @@ static int mmu_translate_asc(CPUS390XState *env, target_ulong vaddr, trigger_page_fault(env, vaddr, PGM_TRANS_SPEC, asc, rw); return -1; } + if ((vaddr >> 51 & 3) > (asce & _ASCE_TABLE_LENGTH)) { + trigger_page_fault(env, vaddr, PGM_REG_SEC_TRANS, asc, rw); + return -1; + } break; case _ASCE_TYPE_REGION3: if (vaddr & 0xfffffc0000000000ULL) { @@ -254,6 +275,10 @@ static int mmu_translate_asc(CPUS390XState *env, target_ulong vaddr, trigger_page_fault(env, vaddr, PGM_TRANS_SPEC, asc, rw); return -1; } + if ((vaddr >> 40 & 3) > (asce & _ASCE_TABLE_LENGTH)) { + trigger_page_fault(env, vaddr, PGM_REG_THIRD_TRANS, asc, rw); + return -1; + } break; case _ASCE_TYPE_SEGMENT: if (vaddr & 0xffffffff80000000ULL) { @@ -262,6 +287,10 @@ static int mmu_translate_asc(CPUS390XState *env, target_ulong vaddr, trigger_page_fault(env, vaddr, PGM_TRANS_SPEC, asc, rw); return -1; } + if ((vaddr >> 29 & 3) > (asce & _ASCE_TABLE_LENGTH)) { + trigger_page_fault(env, vaddr, PGM_SEGMENT_TRANS, asc, rw); + return -1; + } break; } |