riscv_disasm.c: Fix out-of-bounds reads

The riscv_disasm function reads instruction mnemonics from static
arrays based on the Control and Status Register (CSR) number encoded
in an instruction.  Two separate bounds checks performed before reading
from these arrays had incorrect upper bounds and allowed out-of-bounds
reads.

Fix two CSR bounds checks to prevent this. The affected CSR numbers that
are no longer included in the modified checks are now properly handled
in a generic CSR handler in the riscv_disasm function.

Signed-off-by: Aaron Merey <amerey@redhat.com>

diff --git a/libcpu/riscv_disasm.c b/libcpu/riscv_disasm.c
index 749d4567023292421b5a9ce89ea505e7b7542896..38a9ab9fc3aabb4899b87040ca84e2e81c715c04 100644 (file)
--- a/libcpu/riscv_disasm.c
+++ b/libcpu/riscv_disasm.c
@@ -1097,7 +1097,7 @@ riscv_disasm (Ebl *ebl,
              else if ((word & 0x3000) == 0x2000 && rs1 == 0)
                {
                  uint32_t csr = word >> 20;
-                 if (/* csr >= 0x000 && */ csr <= 0x007)
+                 if (/* csr >= 0x000 && */ csr <= 0x003)
                    {
                      static const char *const unprivrw[4] =
                        {
@@ -1105,7 +1105,7 @@ riscv_disasm (Ebl *ebl,
                        };
                      mne = unprivrw[csr - 0x000];
                    }
-                 else if (csr >= 0xc00 && csr <= 0xc03)
+                 else if (csr >= 0xc00 && csr <= 0xc02)
                    {
                      static const char *const unprivrolow[3] =
                        {