Commit d72118cecabbb76b96b77107a50c74d1bb36c0c1
1 parent
f1d1c309f3
Exists in
master
and in
7 other branches
KVM: properly check max PIC pin in irq route setup
Otherwise memory beyond irq_states[16] might be accessed. Noticed by Juan Quintela. Cc: stable@kernel.org Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> Acked-by: Juan Quintela <quintela@redhat.com> Signed-off-by: Avi Kivity <avi@redhat.com>
Showing 1 changed file with 5 additions and 1 deletions Side-by-side Diff
virt/kvm/irq_comm.c
| ... | ... | @@ -302,6 +302,7 @@ |
| 302 | 302 | { |
| 303 | 303 | int r = -EINVAL; |
| 304 | 304 | int delta; |
| 305 | + unsigned max_pin; | |
| 305 | 306 | struct kvm_kernel_irq_routing_entry *ei; |
| 306 | 307 | struct hlist_node *n; |
| 307 | 308 | |
| 308 | 309 | |
| 309 | 310 | |
| ... | ... | @@ -322,12 +323,15 @@ |
| 322 | 323 | switch (ue->u.irqchip.irqchip) { |
| 323 | 324 | case KVM_IRQCHIP_PIC_MASTER: |
| 324 | 325 | e->set = kvm_set_pic_irq; |
| 326 | + max_pin = 16; | |
| 325 | 327 | break; |
| 326 | 328 | case KVM_IRQCHIP_PIC_SLAVE: |
| 327 | 329 | e->set = kvm_set_pic_irq; |
| 330 | + max_pin = 16; | |
| 328 | 331 | delta = 8; |
| 329 | 332 | break; |
| 330 | 333 | case KVM_IRQCHIP_IOAPIC: |
| 334 | + max_pin = KVM_IOAPIC_NUM_PINS; | |
| 331 | 335 | e->set = kvm_set_ioapic_irq; |
| 332 | 336 | break; |
| 333 | 337 | default: |
| ... | ... | @@ -335,7 +339,7 @@ |
| 335 | 339 | } |
| 336 | 340 | e->irqchip.irqchip = ue->u.irqchip.irqchip; |
| 337 | 341 | e->irqchip.pin = ue->u.irqchip.pin + delta; |
| 338 | - if (e->irqchip.pin >= KVM_IOAPIC_NUM_PINS) | |
| 342 | + if (e->irqchip.pin >= max_pin) | |
| 339 | 343 | goto out; |
| 340 | 344 | rt->chip[ue->u.irqchip.irqchip][e->irqchip.pin] = ue->gsi; |
| 341 | 345 | break; |