Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 062d5e9b authored by Christian Borntraeger's avatar Christian Borntraeger Committed by Marcelo Tosatti
Browse files

KVM: S390: fix potential array overrun in intercept handling 



kvm_handle_sie_intercept uses a jump table to get the intercept handler
for a SIE intercept. Static code analysis revealed a potential problem:
the intercept_funcs jump table was defined to contain (0x48 >> 2) entries,
but we only checked for code > 0x48 which would cause an off-by-one
array overflow if code == 0x48.

Use the compiler and ARRAY_SIZE to automatically set the limits.

Cc: stable@kernel.org
Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
parent b6a114d2

arch/s390/kvm/intercept.c

+2 −2
Original line number Original line Diff line number Diff line
@@ -213,7 +213,7 @@ static int handle_instruction_and_prog(struct kvm_vcpu *vcpu) 
	return rc2;

	return rc2;

}

}





static const intercept_handler_t intercept_funcs[0x48 >> 2] = {

static const intercept_handler_t intercept_funcs[] = {

	[0x00 >> 2] = handle_noop,

	[0x00 >> 2] = handle_noop,

	[0x04 >> 2] = handle_instruction,

	[0x04 >> 2] = handle_instruction,

	[0x08 >> 2] = handle_prog,

	[0x08 >> 2] = handle_prog,
@@ -230,7 +230,7 @@ int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu) 
	intercept_handler_t func;

	intercept_handler_t func;

	u8 code = vcpu->arch.sie_block->icptcode;

	u8 code = vcpu->arch.sie_block->icptcode;





	if (code & 3 || code > 0x48)

	if (code & 3 || (code >> 2) >= ARRAY_SIZE(intercept_funcs))

		return -ENOTSUPP;

		return -ENOTSUPP;

	func = intercept_funcs[code >> 2];

	func = intercept_funcs[code >> 2];

	if (func)

	if (func)