[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PATCH 04/25] s390x/mmu: Check table length and offset fiel
|
From: |
Jens Freimann |
|
Subject: |
[Qemu-devel] [PATCH 04/25] s390x/mmu: Check table length and offset fields |
|
Date: |
Thu, 12 Feb 2015 18:09:21 +0100 |
From: Thomas Huth <address@hidden>
The ACSEs have a table length field and the region entries have
table length and offset fields which must be checked during
translation to see whether the given virtual address is really
covered by the translation table.
Signed-off-by: Thomas Huth <address@hidden>
Signed-off-by: Jens Freimann <address@hidden>
---
target-s390x/cpu.h | 1 +
target-s390x/mmu_helper.c | 29 +++++++++++++++++++++++++++++
2 files changed, 30 insertions(+)
diff --git a/target-s390x/cpu.h b/target-s390x/cpu.h
index 95d0f3b..5563042 100644
--- a/target-s390x/cpu.h
+++ b/target-s390x/cpu.h
@@ -837,6 +837,7 @@ struct sysib_322 {
#define _ASCE_TABLE_LENGTH 0x03 /* region table length
*/
#define _REGION_ENTRY_ORIGIN ~0xfffULL /* region/segment table origin
*/
+#define _REGION_ENTRY_TF 0xc0 /* region/segment table offset
*/
#define _REGION_ENTRY_INV 0x20 /* invalid region table entry
*/
#define _REGION_ENTRY_TYPE_MASK 0x0c /* region/segment table type mask
*/
#define _REGION_ENTRY_TYPE_R1 0x0c /* region first table type
*/
diff --git a/target-s390x/mmu_helper.c b/target-s390x/mmu_helper.c
index 01d819e..d4087ba 100644
--- a/target-s390x/mmu_helper.c
+++ b/target-s390x/mmu_helper.c
@@ -171,6 +171,10 @@ static int mmu_translate_region(CPUS390XState *env,
target_ulong vaddr,
{
CPUState *cs = CPU(s390_env_get_cpu(env));
uint64_t origin, offs, new_entry;
+ const int pchks[4] = {
+ PGM_SEGMENT_TRANS, PGM_REG_THIRD_TRANS,
+ PGM_REG_SEC_TRANS, PGM_REG_FIRST_TRANS
+ };
PTE_DPRINTF("%s: 0x%" PRIx64 "\n", __func__, entry);
@@ -201,6 +205,15 @@ static int mmu_translate_region(CPUS390XState *env,
target_ulong vaddr,
rw);
}
+ /* Check region table offset and length */
+ offs = (vaddr >> (28 + 11 * (level - 4) / 4)) & 3;
+ if (offs < ((new_entry & _REGION_ENTRY_TF) >> 6)
+ || offs > (new_entry & _REGION_ENTRY_LENGTH)) {
+ DPRINTF("%s: invalid offset or len (%lx)\n", __func__, new_entry);
+ trigger_page_fault(env, vaddr, pchks[level / 4 - 1], asc, rw);
+ return -1;
+ }
+
/* yet another region */
return mmu_translate_region(env, vaddr, asc, new_entry, level - 4,
raddr, flags, rw);
@@ -238,6 +251,10 @@ static int mmu_translate_asc(CPUS390XState *env,
target_ulong vaddr,
level = asce & _ASCE_TYPE_MASK;
switch (level) {
case _ASCE_TYPE_REGION1:
+ if ((vaddr >> 62) > (asce & _ASCE_TABLE_LENGTH)) {
+ trigger_page_fault(env, vaddr, PGM_REG_FIRST_TRANS, asc, rw);
+ return -1;
+ }
break;
case _ASCE_TYPE_REGION2:
if (vaddr & 0xffe0000000000000ULL) {
@@ -246,6 +263,10 @@ static int mmu_translate_asc(CPUS390XState *env,
target_ulong vaddr,
trigger_page_fault(env, vaddr, PGM_TRANS_SPEC, asc, rw);
return -1;
}
+ if ((vaddr >> 51 & 3) > (asce & _ASCE_TABLE_LENGTH)) {
+ trigger_page_fault(env, vaddr, PGM_REG_SEC_TRANS, asc, rw);
+ return -1;
+ }
break;
case _ASCE_TYPE_REGION3:
if (vaddr & 0xfffffc0000000000ULL) {
@@ -254,6 +275,10 @@ static int mmu_translate_asc(CPUS390XState *env,
target_ulong vaddr,
trigger_page_fault(env, vaddr, PGM_TRANS_SPEC, asc, rw);
return -1;
}
+ if ((vaddr >> 40 & 3) > (asce & _ASCE_TABLE_LENGTH)) {
+ trigger_page_fault(env, vaddr, PGM_REG_THIRD_TRANS, asc, rw);
+ return -1;
+ }
break;
case _ASCE_TYPE_SEGMENT:
if (vaddr & 0xffffffff80000000ULL) {
@@ -262,6 +287,10 @@ static int mmu_translate_asc(CPUS390XState *env,
target_ulong vaddr,
trigger_page_fault(env, vaddr, PGM_TRANS_SPEC, asc, rw);
return -1;
}
+ if ((vaddr >> 29 & 3) > (asce & _ASCE_TABLE_LENGTH)) {
+ trigger_page_fault(env, vaddr, PGM_SEGMENT_TRANS, asc, rw);
+ return -1;
+ }
break;
}
--
2.1.4
- [Qemu-devel] [PATCH 00/25] s390x: rework guest memory access, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 18/25] s390x/ioinst: Rework memory access in STSCH instruction, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 24/25] s390x/pci: Rework memory access in zpci instruction, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 12/25] s390x/mmu: Clean up mmu_translate_asc(), Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 15/25] s390x/css: Make schib parameter of css_do_msch const, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 11/25] s390x/mmu: Check bit 52 in page table entry, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 08/25] s390x/mmu: Fix the exception codes for illegal table entries, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 05/25] s390x/mmu: Skip exceptions properly when translating addresses for debug, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 04/25] s390x/mmu: Check table length and offset fields,
Jens Freimann <=
- [Qemu-devel] [PATCH 09/25] s390x/mmu: Add support for read-only regions, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 03/25] s390x/mmu: Fix the handling of the table levels, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 25/25] s390x/helper: Remove s390_cpu_physical_memory_map, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 07/25] s390x/mmu: Fix exception types when checking the ASCEs, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 14/25] s390x/mmu: Add function for accessing guest memory, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 16/25] s390x/ioinst: Rework memory access in MSCH instruction, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 13/25] s390x/kvm: Add function for injecting pgm access exceptions, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 17/25] s390x/ioinst: Rework memory access in SSCH instruction, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 02/25] s390x/mmu: Fix the check for the real-space designation bit, Jens Freimann, 2015/02/12
- [Qemu-devel] [PATCH 20/25] s390x/ioinst: Rework memory access in TSCH instruction, Jens Freimann, 2015/02/12