aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Kiszka <jan.kiszka@web.de>2009-07-02 15:45:47 -0400
committerAvi Kivity <avi@redhat.com>2009-08-05 06:58:03 -0400
commite125e7b6944898831b56739a5448e705578bf7e2 (patch)
tree27bdf220e2bedfd20358627563509089e8584003
parent90bc1a658a53f8832ee799685703977a450e5af9 (diff)
KVM: Fix KVM_GET_MSR_INDEX_LIST
So far, KVM copied the emulated_msrs (only MSR_IA32_MISC_ENABLE) to a wrong address in user space due to broken pointer arithmetic. This caused subtle corruption up there (missing MSR_IA32_MISC_ENABLE had probably no practical relevance). Moreover, the size check for the user-provided kvm_msr_list forgot about emulated MSRs. Cc: stable@kernel.org Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Avi Kivity <avi@redhat.com>
-rw-r--r--arch/x86/kvm/x86.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index fe5474aec41a..7bc311464fae 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1079,14 +1079,13 @@ long kvm_arch_dev_ioctl(struct file *filp,
1079 if (copy_to_user(user_msr_list, &msr_list, sizeof msr_list)) 1079 if (copy_to_user(user_msr_list, &msr_list, sizeof msr_list))
1080 goto out; 1080 goto out;
1081 r = -E2BIG; 1081 r = -E2BIG;
1082 if (n < num_msrs_to_save) 1082 if (n < msr_list.nmsrs)
1083 goto out; 1083 goto out;
1084 r = -EFAULT; 1084 r = -EFAULT;
1085 if (copy_to_user(user_msr_list->indices, &msrs_to_save, 1085 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
1086 num_msrs_to_save * sizeof(u32))) 1086 num_msrs_to_save * sizeof(u32)))
1087 goto out; 1087 goto out;
1088 if (copy_to_user(user_msr_list->indices 1088 if (copy_to_user(user_msr_list->indices + num_msrs_to_save,
1089 + num_msrs_to_save * sizeof(u32),
1090 &emulated_msrs, 1089 &emulated_msrs,
1091 ARRAY_SIZE(emulated_msrs) * sizeof(u32))) 1090 ARRAY_SIZE(emulated_msrs) * sizeof(u32)))
1092 goto out; 1091 goto out;