From 9814fed0afa73f5c37f04e02ec17c915a5d59303 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@suse.de>
Date: Thu, 4 Jun 2015 00:52:44 +0200
Subject: target-s390x: Only access allocated storage keys

We allocate ram_size / PAGE_SIZE storage keys, so we need to make sure that
we only access that many. Unfortunately the code can overrun this array by
one, potentially overwriting unrelated memory.

Fix it by limiting storage keys to their scope.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>
---
 target-s390x/mmu_helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'target-s390x')

diff --git a/target-s390x/mmu_helper.c b/target-s390x/mmu_helper.c
index e8dcd0c..815ff42 100644
--- a/target-s390x/mmu_helper.c
+++ b/target-s390x/mmu_helper.c
@@ -358,7 +358,7 @@ int mmu_translate(CPUS390XState *env, target_ulong vaddr, int rw, uint64_t asc,
     /* Convert real address -> absolute address */
     *raddr = mmu_real2abs(env, *raddr);
 
-    if (*raddr <= ram_size) {
+    if (*raddr < ram_size) {
         sk = &env->storage_keys[*raddr / TARGET_PAGE_SIZE];
         if (*flags & PAGE_READ) {
             *sk |= SK_R;
-- 
cgit v1.1