diff --git a/hw/s390x/css.c b/hw/s390x/css.c index 6a42b95cee..1880b1a0ff 100644 --- a/hw/s390x/css.c +++ b/hw/s390x/css.c @@ -795,6 +795,10 @@ static int css_interpret_ccw(SubchDev *sch, hwaddr ccw_addr, if (!ccw_addr) { return -EIO; } + /* Check doubleword aligned and 31 or 24 (fmt 0) bit addressable. */ + if (ccw_addr & (sch->ccw_fmt_1 ? 0x80000007 : 0xff000007)) { + return -EINVAL; + } /* Translate everything to format-1 ccws - the information is the same. */ ccw = copy_ccw_from_guest(ccw_addr, sch->ccw_fmt_1); @@ -881,7 +885,8 @@ static int css_interpret_ccw(SubchDev *sch, hwaddr ccw_addr, ret = -EINVAL; break; } - if (ccw.flags & (CCW_FLAG_CC | CCW_FLAG_DC)) { + if (ccw.flags || ccw.count) { + /* We have already sanitized these if converted from fmt 0. */ ret = -EINVAL; break; } diff --git a/target/s390x/misc_helper.c b/target/s390x/misc_helper.c index 44c5c401fb..d23ffcd890 100644 --- a/target/s390x/misc_helper.c +++ b/target/s390x/misc_helper.c @@ -192,7 +192,7 @@ uint32_t HELPER(stsi)(CPUS390XState *env, uint64_t a0, if ((r0 & STSI_LEVEL_MASK) <= STSI_LEVEL_3 && ((r0 & STSI_R0_RESERVED_MASK) || (r1 & STSI_R1_RESERVED_MASK))) { /* valid function code, invalid reserved bits */ - program_interrupt(env, PGM_SPECIFICATION, 2); + program_interrupt(env, PGM_SPECIFICATION, 4); } sel1 = r0 & STSI_R0_SEL1_MASK; diff --git a/target/s390x/mmu_helper.c b/target/s390x/mmu_helper.c index a873dc48a0..1ad01584b4 100644 --- a/target/s390x/mmu_helper.c +++ b/target/s390x/mmu_helper.c @@ -440,7 +440,7 @@ static int translate_pages(S390CPU *cpu, vaddr addr, int nr_pages, } if (!address_space_access_valid(&address_space_memory, pages[i], TARGET_PAGE_SIZE, is_write)) { - program_interrupt(env, PGM_ADDRESSING, 0); + program_interrupt(env, PGM_ADDRESSING, ILEN_AUTO); return -EFAULT; } addr += TARGET_PAGE_SIZE;