target-s390x: Only access allocated storage keys

We allocate ram_size / PAGE_SIZE storage keys, so we need to make sure that
we only access that many. Unfortunately the code can overrun this array by
one, potentially overwriting unrelated memory.

Fix it by limiting storage keys to their scope.

Signed-off-by: Alexander Graf <agraf@suse.de>
Reviewed-by: Aurelien Jarno <aurelien@aurel32.net>

diff --git a/target-s390x/mmu_helper.c b/target-s390x/mmu_helper.c
index e8dcd0c18f1abe6239ff40e6ef806844bf4c2097..815ff42dde36d55b5e51250f58fcca67d1bce8bd 100644 (file)
--- a/target-s390x/mmu_helper.c
+++ b/target-s390x/mmu_helper.c
@@ -358,7 +358,7 @@ int mmu_translate(CPUS390XState *env, target_ulong vaddr, int rw, uint64_t asc,
     /* Convert real address -> absolute address */
     *raddr = mmu_real2abs(env, *raddr);
 
-    if (*raddr <= ram_size) {
+    if (*raddr < ram_size) {
         sk = &env->storage_keys[*raddr / TARGET_PAGE_SIZE];
         if (*flags & PAGE_READ) {
             *sk |= SK_R;