The riscv_disasm function reads instruction mnemonics from static arrays based on the Control and Status Register (CSR) number encoded in an instruction. Two separate bounds checks performed before reading from these arrays had incorrect upper bounds and allowed out-of-bounds reads.
Fix two CSR bounds checks to prevent this. The affected CSR numbers that are no longer included in the modified checks are now properly handled in a generic CSR handler in the riscv_disasm function. Signed-off-by: Aaron Merey <[email protected]> --- libcpu/riscv_disasm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libcpu/riscv_disasm.c b/libcpu/riscv_disasm.c index 749d4567..38a9ab9f 100644 --- a/libcpu/riscv_disasm.c +++ b/libcpu/riscv_disasm.c @@ -1097,7 +1097,7 @@ riscv_disasm (Ebl *ebl, else if ((word & 0x3000) == 0x2000 && rs1 == 0) { uint32_t csr = word >> 20; - if (/* csr >= 0x000 && */ csr <= 0x007) + if (/* csr >= 0x000 && */ csr <= 0x003) { static const char *const unprivrw[4] = { @@ -1105,7 +1105,7 @@ riscv_disasm (Ebl *ebl, }; mne = unprivrw[csr - 0x000]; } - else if (csr >= 0xc00 && csr <= 0xc03) + else if (csr >= 0xc00 && csr <= 0xc02) { static const char *const unprivrolow[3] = { -- 2.54.0
