target/microblaze: Fix possible array out of bounds in mmu_write()

The size of env->mmu.regs is 3, but the range of 'rn' is [0, 5]. To avoid data access out of bounds, only if 'rn' is less than 3, we can print env->mmu.regs[rn]. In other cases, we can print env->mmu.regs[MMU_R_TLBX]. Reported-by: Euler Robot <euler.robot@huawei.com> Signed-off-by: Alex Chen <alex.chen@huawei.com> Reviewed-by: Thomas Huth <thuth@redhat.com> Reviewed-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com> Message-Id: <5FA10ABA.1080109@huawei.com> Signed-off-by: Thomas Huth <thuth@redhat.com>
2024-11-05 20:35:44 +00:00 · 2020-11-03 15:46:02 +08:00 · 2020-11-03 15:46:02 +08:00 · f25c7ca0ce
commit f25c7ca0ce
parent 844d35b9c2
1 changed files with 2 additions and 1 deletions
--- a/target/microblaze/mmu.c
+++ b/target/microblaze/mmu.c
@ -234,7 +234,8 @@ void mmu_write(CPUMBState *env, bool ext, uint32_t rn, uint32_t v)
    unsigned int i;

    qemu_log_mask(CPU_LOG_MMU,
-                  "%s rn=%d=%x old=%x\n", __func__, rn, v, env->mmu.regs[rn]);
+                  "%s rn=%d=%x old=%x\n", __func__, rn, v,
+                  rn < 3 ? env->mmu.regs[rn] : env->mmu.regs[MMU_R_TLBX]);

    if (cpu->cfg.mmu < 2 || !cpu->cfg.mmu_tlb_access) {
        qemu_log_mask(LOG_GUEST_ERROR, "MMU access on MMU-less system\n");