Commit 4769886b authored May 10, 2017 by Dan Carpenter Committed by Radim Krčmář May 15, 2017

kvm: nVMX: off by one in vmx_write_pml_buffer()



There are PML_ENTITY_NUM elements in the pml_address[] array so the >
should be >= or we write beyond the end of the array when we do:

	pml_address[vmcs12->guest_pml_index--] = gpa;

Fixes: c5f983f6 ("nVMX: Implement emulated Page Modification Logging")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

parent 65acb891

arch/x86/kvm/vmx.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
		if (!nested_cpu_has_pml(vmcs12))
		return 0;

		if (vmcs12->guest_pml_index > PML_ENTITY_NUM) {
		if (vmcs12->guest_pml_index >= PML_ENTITY_NUM) {
		vmx->nested.pml_full = true;
		return 1;
		}