From patchwork Thu Jan 21 11:19:07 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christian Borntraeger X-Patchwork-Id: 74314 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter.kernel.org (8.14.3/8.14.2) with ESMTP id o0LBJS1D025703 for ; Thu, 21 Jan 2010 11:19:28 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755282Ab0AULTO (ORCPT ); Thu, 21 Jan 2010 06:19:14 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1755271Ab0AULTN (ORCPT ); Thu, 21 Jan 2010 06:19:13 -0500 Received: from mtagate4.de.ibm.com ([195.212.17.164]:39161 "EHLO mtagate4.de.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755092Ab0AULTL (ORCPT ); Thu, 21 Jan 2010 06:19:11 -0500 Received: from d12nrmr1607.megacenter.de.ibm.com (d12nrmr1607.megacenter.de.ibm.com [9.149.167.49]) by mtagate4.de.ibm.com (8.13.1/8.13.1) with ESMTP id o0LBJ9xa002111 for ; Thu, 21 Jan 2010 11:19:09 GMT Received: from d12av03.megacenter.de.ibm.com (d12av03.megacenter.de.ibm.com [9.149.165.213]) by d12nrmr1607.megacenter.de.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id o0LBJ9LM1417324 for ; Thu, 21 Jan 2010 12:19:09 +0100 Received: from d12av03.megacenter.de.ibm.com (loopback [127.0.0.1]) by d12av03.megacenter.de.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id o0LBJ9Cl015214 for ; Thu, 21 Jan 2010 12:19:09 +0100 Received: from cborntra.localnet (sig-9-146-218-97.de.ibm.com [9.146.218.97]) by d12av03.megacenter.de.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id o0LBJ82T015194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 21 Jan 2010 12:19:09 +0100 From: Christian Borntraeger Organization: IBM To: Avi Kivity , Marcelo Tosatti Subject: [PATCHv2] kvm-s390: fix potential array overrun in intercept handling Date: Thu, 21 Jan 2010 12:19:07 +0100 User-Agent: KMail/1.12.4 (Linux/2.6.33-rc4-self-00399-g24bc734; KDE/4.3.4; x86_64; ; ) Cc: kvm@vger.kernel.org, Martin Schwidefsky , Heiko Carstens , cotte@de.ibm.com References: <201001211156.03669.borntraeger@de.ibm.com> <4B5833C3.8070908@redhat.com> In-Reply-To: <4B5833C3.8070908@redhat.com> MIME-Version: 1.0 Message-Id: <201001211219.07628.borntraeger@de.ibm.com> Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Index: linux-2.6/arch/s390/kvm/intercept.c =================================================================== --- linux-2.6.orig/arch/s390/kvm/intercept.c +++ linux-2.6/arch/s390/kvm/intercept.c @@ -208,32 +208,32 @@ static int handle_instruction_and_prog(s if (rc == -ENOTSUPP) vcpu->arch.sie_block->icptcode = 0x04; if (rc) return rc; return rc2; } -static const intercept_handler_t intercept_funcs[0x48 >> 2] = { +static const intercept_handler_t intercept_funcs[] = { [0x00 >> 2] = handle_noop, [0x04 >> 2] = handle_instruction, [0x08 >> 2] = handle_prog, [0x0C >> 2] = handle_instruction_and_prog, [0x10 >> 2] = handle_noop, [0x14 >> 2] = handle_noop, [0x1C >> 2] = kvm_s390_handle_wait, [0x20 >> 2] = handle_validity, [0x28 >> 2] = handle_stop, }; int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu) { intercept_handler_t func; u8 code = vcpu->arch.sie_block->icptcode; - if (code & 3 || code > 0x48) + if (code & 3 || (code >> 2) >= ARRAY_SIZE(intercept_funcs)) return -ENOTSUPP; func = intercept_funcs[code >> 2]; if (func) return func(vcpu); return -ENOTSUPP; }