diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2017-05-10 15:43:17 -0400 |
|---|---|---|
| committer | Radim Krčmář <rkrcmar@redhat.com> | 2017-05-15 10:08:56 -0400 |
| commit | 4769886baf39b6a307eb8f9e39848823ca6c5939 (patch) | |
| tree | 874f4adce443e6db0abd48b469cbb91398e57d87 | |
| parent | 65acb891aaeb9294ebd06beb6138278b2331fec0 (diff) | |
kvm: nVMX: off by one in vmx_write_pml_buffer()
There are PML_ENTITY_NUM elements in the pml_address[] array so the >
should be >= or we write beyond the end of the array when we do:
pml_address[vmcs12->guest_pml_index--] = gpa;
Fixes: c5f983f6e845 ("nVMX: Implement emulated Page Modification Logging")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
| -rw-r--r-- | arch/x86/kvm/vmx.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index c6f4ad44aa95..7698e8f321bf 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c | |||
| @@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu) | |||
| 11213 | if (!nested_cpu_has_pml(vmcs12)) | 11213 | if (!nested_cpu_has_pml(vmcs12)) |
| 11214 | return 0; | 11214 | return 0; |
| 11215 | 11215 | ||
| 11216 | if (vmcs12->guest_pml_index > PML_ENTITY_NUM) { | 11216 | if (vmcs12->guest_pml_index >= PML_ENTITY_NUM) { |
| 11217 | vmx->nested.pml_full = true; | 11217 | vmx->nested.pml_full = true; |
| 11218 | return 1; | 11218 | return 1; |
| 11219 | } | 11219 | } |