diff options
| author | AlexChen <alex.chen@huawei.com> | 2020-11-03 15:46:02 +0800 |
|---|---|---|
| committer | Thomas Huth <thuth@redhat.com> | 2020-11-17 09:45:24 +0100 |
| commit | f25c7ca0cecb71428f864b9ccb6f128ec39ea94e (patch) | |
| tree | 8e1582cb19a2f1d180673c2bba965e6bbcbf6e7b /target | |
| parent | 844d35b9c289dcc424baa4e4fcb38b19e914ce77 (diff) | |
| download | qemu-f25c7ca0cecb71428f864b9ccb6f128ec39ea94e.zip qemu-f25c7ca0cecb71428f864b9ccb6f128ec39ea94e.tar.gz qemu-f25c7ca0cecb71428f864b9ccb6f128ec39ea94e.tar.bz2 | |
target/microblaze: Fix possible array out of bounds in mmu_write()
The size of env->mmu.regs is 3, but the range of 'rn' is [0, 5].
To avoid data access out of bounds, only if 'rn' is less than 3, we
can print env->mmu.regs[rn]. In other cases, we can print
env->mmu.regs[MMU_R_TLBX].
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Alex Chen <alex.chen@huawei.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-Id: <5FA10ABA.1080109@huawei.com>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Diffstat (limited to 'target')
| -rw-r--r-- | target/microblaze/mmu.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/target/microblaze/mmu.c b/target/microblaze/mmu.c index 2baaef7..1e42696 100644 --- a/target/microblaze/mmu.c +++ b/target/microblaze/mmu.c @@ -234,7 +234,8 @@ void mmu_write(CPUMBState *env, bool ext, uint32_t rn, uint32_t v) unsigned int i; qemu_log_mask(CPU_LOG_MMU, - "%s rn=%d=%x old=%x\n", __func__, rn, v, env->mmu.regs[rn]); + "%s rn=%d=%x old=%x\n", __func__, rn, v, + rn < 3 ? env->mmu.regs[rn] : env->mmu.regs[MMU_R_TLBX]); if (cpu->cfg.mmu < 2 || !cpu->cfg.mmu_tlb_access) { qemu_log_mask(LOG_GUEST_ERROR, "MMU access on MMU-less system\n"); |