diff options
| author | Jan Kiszka <jan.kiszka@siemens.com> | 2009-10-23 03:37:00 -0400 |
|---|---|---|
| committer | Marcelo Tosatti <mtosatti@redhat.com> | 2009-11-04 09:42:35 -0500 |
| commit | a9e38c3e01ad242fe2a625354cf065c34b01e3aa (patch) | |
| tree | 4ea957d97f8d7399f1f58cfce2470f703f6d1a58 | |
| parent | 51bb296b09a83ee1aae025778db38f9d2cc7bb1a (diff) | |
KVM: x86: Catch potential overrun in MCE setup
We only allocate memory for 32 MCE banks (KVM_MAX_MCE_BANKS) but we
allow user space to fill up to 255 on setup (mcg_cap & 0xff), corrupting
kernel memory. Catch these overflows.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
| -rw-r--r-- | arch/x86/kvm/x86.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 9b9695322f56..8a93fa894ba6 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c | |||
| @@ -1692,7 +1692,7 @@ static int kvm_vcpu_ioctl_x86_setup_mce(struct kvm_vcpu *vcpu, | |||
| 1692 | unsigned bank_num = mcg_cap & 0xff, bank; | 1692 | unsigned bank_num = mcg_cap & 0xff, bank; |
| 1693 | 1693 | ||
| 1694 | r = -EINVAL; | 1694 | r = -EINVAL; |
| 1695 | if (!bank_num) | 1695 | if (!bank_num || bank_num >= KVM_MAX_MCE_BANKS) |
| 1696 | goto out; | 1696 | goto out; |
| 1697 | if (mcg_cap & ~(KVM_MCE_CAP_SUPPORTED | 0xff | 0xff0000)) | 1697 | if (mcg_cap & ~(KVM_MCE_CAP_SUPPORTED | 0xff | 0xff0000)) |
| 1698 | goto out; | 1698 | goto out; |