[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [PULL 08/29] s390x/mmu: Check table length and offset field
From: |
Christian Borntraeger |
Subject: |
[Qemu-devel] [PULL 08/29] s390x/mmu: Check table length and offset fields |
Date: |
Wed, 18 Feb 2015 21:22:02 +0100 |
From: Thomas Huth <address@hidden>
The ACSEs have a table length field and the region entries have
table length and offset fields which must be checked during
translation to see whether the given virtual address is really
covered by the translation table.
Signed-off-by: Thomas Huth <address@hidden>
Signed-off-by: Jens Freimann <address@hidden>
Signed-off-by: Christian Borntraeger <address@hidden>
---
target-s390x/cpu.h | 1 +
target-s390x/mmu_helper.c | 29 +++++++++++++++++++++++++++++
2 files changed, 30 insertions(+)
diff --git a/target-s390x/cpu.h b/target-s390x/cpu.h
index 95d0f3b..5563042 100644
--- a/target-s390x/cpu.h
+++ b/target-s390x/cpu.h
@@ -837,6 +837,7 @@ struct sysib_322 {
#define _ASCE_TABLE_LENGTH 0x03 /* region table length
*/
#define _REGION_ENTRY_ORIGIN ~0xfffULL /* region/segment table origin
*/
+#define _REGION_ENTRY_TF 0xc0 /* region/segment table offset
*/
#define _REGION_ENTRY_INV 0x20 /* invalid region table entry
*/
#define _REGION_ENTRY_TYPE_MASK 0x0c /* region/segment table type mask
*/
#define _REGION_ENTRY_TYPE_R1 0x0c /* region first table type
*/
diff --git a/target-s390x/mmu_helper.c b/target-s390x/mmu_helper.c
index 01d819e..d4087ba 100644
--- a/target-s390x/mmu_helper.c
+++ b/target-s390x/mmu_helper.c
@@ -171,6 +171,10 @@ static int mmu_translate_region(CPUS390XState *env,
target_ulong vaddr,
{
CPUState *cs = CPU(s390_env_get_cpu(env));
uint64_t origin, offs, new_entry;
+ const int pchks[4] = {
+ PGM_SEGMENT_TRANS, PGM_REG_THIRD_TRANS,
+ PGM_REG_SEC_TRANS, PGM_REG_FIRST_TRANS
+ };
PTE_DPRINTF("%s: 0x%" PRIx64 "\n", __func__, entry);
@@ -201,6 +205,15 @@ static int mmu_translate_region(CPUS390XState *env,
target_ulong vaddr,
rw);
}
+ /* Check region table offset and length */
+ offs = (vaddr >> (28 + 11 * (level - 4) / 4)) & 3;
+ if (offs < ((new_entry & _REGION_ENTRY_TF) >> 6)
+ || offs > (new_entry & _REGION_ENTRY_LENGTH)) {
+ DPRINTF("%s: invalid offset or len (%lx)\n", __func__, new_entry);
+ trigger_page_fault(env, vaddr, pchks[level / 4 - 1], asc, rw);
+ return -1;
+ }
+
/* yet another region */
return mmu_translate_region(env, vaddr, asc, new_entry, level - 4,
raddr, flags, rw);
@@ -238,6 +251,10 @@ static int mmu_translate_asc(CPUS390XState *env,
target_ulong vaddr,
level = asce & _ASCE_TYPE_MASK;
switch (level) {
case _ASCE_TYPE_REGION1:
+ if ((vaddr >> 62) > (asce & _ASCE_TABLE_LENGTH)) {
+ trigger_page_fault(env, vaddr, PGM_REG_FIRST_TRANS, asc, rw);
+ return -1;
+ }
break;
case _ASCE_TYPE_REGION2:
if (vaddr & 0xffe0000000000000ULL) {
@@ -246,6 +263,10 @@ static int mmu_translate_asc(CPUS390XState *env,
target_ulong vaddr,
trigger_page_fault(env, vaddr, PGM_TRANS_SPEC, asc, rw);
return -1;
}
+ if ((vaddr >> 51 & 3) > (asce & _ASCE_TABLE_LENGTH)) {
+ trigger_page_fault(env, vaddr, PGM_REG_SEC_TRANS, asc, rw);
+ return -1;
+ }
break;
case _ASCE_TYPE_REGION3:
if (vaddr & 0xfffffc0000000000ULL) {
@@ -254,6 +275,10 @@ static int mmu_translate_asc(CPUS390XState *env,
target_ulong vaddr,
trigger_page_fault(env, vaddr, PGM_TRANS_SPEC, asc, rw);
return -1;
}
+ if ((vaddr >> 40 & 3) > (asce & _ASCE_TABLE_LENGTH)) {
+ trigger_page_fault(env, vaddr, PGM_REG_THIRD_TRANS, asc, rw);
+ return -1;
+ }
break;
case _ASCE_TYPE_SEGMENT:
if (vaddr & 0xffffffff80000000ULL) {
@@ -262,6 +287,10 @@ static int mmu_translate_asc(CPUS390XState *env,
target_ulong vaddr,
trigger_page_fault(env, vaddr, PGM_TRANS_SPEC, asc, rw);
return -1;
}
+ if ((vaddr >> 29 & 3) > (asce & _ASCE_TABLE_LENGTH)) {
+ trigger_page_fault(env, vaddr, PGM_SEGMENT_TRANS, asc, rw);
+ return -1;
+ }
break;
}
--
1.9.3
- [Qemu-devel] [PULL 00/29] s390x guest reipl and page table handling, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 12/29] s390x/mmu: Fix the exception codes for illegal table entries, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 13/29] s390x/mmu: Add support for read-only regions, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 16/29] s390x/mmu: Clean up mmu_translate_asc(), Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 21/29] s390x/ioinst: Rework memory access in SSCH instruction, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 18/29] s390x/mmu: Add function for accessing guest memory, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 02/29] s390x/ipl: support diagnose 308 subcodes 5 and 6, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 19/29] s390x/css: Make schib parameter of css_do_msch const, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 09/29] s390x/mmu: Skip exceptions properly when translating addresses for debug, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 08/29] s390x/mmu: Check table length and offset fields,
Christian Borntraeger <=
- [Qemu-devel] [PULL 14/29] s390x/mmu: Renaming related to the ASCE confusion, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 04/29] s390x/ipl: make s390x ipl device aware of migration, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 25/29] s390x/ioinst: Rework memory access in STCRW instruction, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 01/29] s390x/ipl: always load the bios for ccw machine, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 05/29] s390x/mmu: Move mmu_translate() and friends to separate file, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 03/29] s390x/ipl: drop reipl parameters on resets, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 28/29] s390x/pci: Rework memory access in zpci instruction, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 11/29] s390x/mmu: Fix exception types when checking the ASCEs, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 24/29] s390x/ioinst: Rework memory access in TSCH instruction, Christian Borntraeger, 2015/02/18
- [Qemu-devel] [PULL 17/29] s390x/kvm: Add function for injecting pgm access exceptions, Christian Borntraeger, 2015/02/18