diff options
author | zhanghailiang <zhang.zhanghailiang@huawei.com> | 2014-11-24 10:47:45 +0800 |
---|---|---|
committer | Michael Tokarev <mjt@tls.msk.ru> | 2014-12-10 11:14:44 +0300 |
commit | 1a71992376792a0d11ea27688bd1a21cdffd1826 (patch) | |
tree | 5bcaca48666429b543e109278b06dde7414d6e00 /target-s390x/helper.c | |
parent | b5369dd841b55aa24dd107223e0a08d8624d1b19 (diff) | |
download | qemu-1a71992376792a0d11ea27688bd1a21cdffd1826.zip qemu-1a71992376792a0d11ea27688bd1a21cdffd1826.tar.gz qemu-1a71992376792a0d11ea27688bd1a21cdffd1826.tar.bz2 |
target-s390x: fix possible out of bounds read
Array index starts at 0, so the valid index of ext_queue array,
io_queue array, mchk_queue array should be MAX_EXT_QUEUE - 1,
MAX_IO_QUEUE - 1, MAX_MCHK_QUEUE - 1.
The original checks missed the invalid bound value, which will lead
possible out of bounds read in the follow codes.
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Diffstat (limited to 'target-s390x/helper.c')
-rw-r--r-- | target-s390x/helper.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/target-s390x/helper.c b/target-s390x/helper.c index 09aec7b..96a4f22 100644 --- a/target-s390x/helper.c +++ b/target-s390x/helper.c @@ -648,7 +648,7 @@ static void do_ext_interrupt(CPUS390XState *env) cpu_abort(CPU(cpu), "Ext int w/o ext mask\n"); } - if (env->ext_index < 0 || env->ext_index > MAX_EXT_QUEUE) { + if (env->ext_index < 0 || env->ext_index >= MAX_EXT_QUEUE) { cpu_abort(CPU(cpu), "Ext queue overrun: %d\n", env->ext_index); } @@ -696,7 +696,7 @@ static void do_io_interrupt(CPUS390XState *env) if (env->io_index[isc] < 0) { continue; } - if (env->io_index[isc] > MAX_IO_QUEUE) { + if (env->io_index[isc] >= MAX_IO_QUEUE) { cpu_abort(CPU(cpu), "I/O queue overrun for isc %d: %d\n", isc, env->io_index[isc]); } @@ -754,7 +754,7 @@ static void do_mchk_interrupt(CPUS390XState *env) cpu_abort(CPU(cpu), "Machine check w/o mchk mask\n"); } - if (env->mchk_index < 0 || env->mchk_index > MAX_MCHK_QUEUE) { + if (env->mchk_index < 0 || env->mchk_index >= MAX_MCHK_QUEUE) { cpu_abort(CPU(cpu), "Mchk queue overrun: %d\n", env->mchk_index); } |