Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d72118ce authored by Marcelo Tosatti's avatar Marcelo Tosatti
Browse files

KVM: properly check max PIC pin in irq route setup 



Otherwise memory beyond irq_states[16] might be accessed.

Noticed by Juan Quintela.

Cc: stable@kernel.org
Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
Acked-by: default avatarJuan Quintela <quintela@redhat.com>
Signed-off-by: default avatarAvi Kivity <avi@redhat.com>
parent f1d1c309

virt/kvm/irq_comm.c

+5 −1
Original line number Diff line number Diff line
@@ -302,6 +302,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt, 
{

	int r = -EINVAL;

	int delta;

	unsigned max_pin;

	struct kvm_kernel_irq_routing_entry *ei;

	struct hlist_node *n;
@@ -322,12 +323,15 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt, 
		switch (ue->u.irqchip.irqchip) {

		case KVM_IRQCHIP_PIC_MASTER:

			e->set = kvm_set_pic_irq;

			max_pin = 16;

			break;

		case KVM_IRQCHIP_PIC_SLAVE:

			e->set = kvm_set_pic_irq;

			max_pin = 16;

			delta = 8;

			break;

		case KVM_IRQCHIP_IOAPIC:

			max_pin = KVM_IOAPIC_NUM_PINS;

			e->set = kvm_set_ioapic_irq;

			break;

		default:
@@ -335,7 +339,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt, 
		}

		e->irqchip.irqchip = ue->u.irqchip.irqchip;

		e->irqchip.pin = ue->u.irqchip.pin + delta;

		if (e->irqchip.pin >= KVM_IOAPIC_NUM_PINS)

		if (e->irqchip.pin >= max_pin)

			goto out;

		rt->chip[ue->u.irqchip.irqchip][e->irqchip.pin] = ue->gsi;

		break;