diff options
author | Roel Kluin <roel.kluin@gmail.com> | 2009-08-07 04:39:25 -0400 |
---|---|---|
committer | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2009-08-07 04:40:40 -0400 |
commit | 53cb780adbe69df90c8dc23e992ce40455e687c3 (patch) | |
tree | cf6958d7b3f37eb5c89eadf97e2eecd4248814d6 /arch/s390/kvm/sigp.c | |
parent | 677c1dd706d9cc384730cbd52baf821923d8be9b (diff) |
[S390] KVM: Read buffer overflow
Check whether index is within bounds before testing the element.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'arch/s390/kvm/sigp.c')
-rw-r--r-- | arch/s390/kvm/sigp.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/arch/s390/kvm/sigp.c b/arch/s390/kvm/sigp.c index 36678835034d..0ef81d6776e9 100644 --- a/arch/s390/kvm/sigp.c +++ b/arch/s390/kvm/sigp.c | |||
@@ -169,7 +169,7 @@ static int __sigp_set_prefix(struct kvm_vcpu *vcpu, u16 cpu_addr, u32 address, | |||
169 | unsigned long *reg) | 169 | unsigned long *reg) |
170 | { | 170 | { |
171 | struct kvm_s390_float_interrupt *fi = &vcpu->kvm->arch.float_int; | 171 | struct kvm_s390_float_interrupt *fi = &vcpu->kvm->arch.float_int; |
172 | struct kvm_s390_local_interrupt *li; | 172 | struct kvm_s390_local_interrupt *li = NULL; |
173 | struct kvm_s390_interrupt_info *inti; | 173 | struct kvm_s390_interrupt_info *inti; |
174 | int rc; | 174 | int rc; |
175 | u8 tmp; | 175 | u8 tmp; |
@@ -189,9 +189,10 @@ static int __sigp_set_prefix(struct kvm_vcpu *vcpu, u16 cpu_addr, u32 address, | |||
189 | return 2; /* busy */ | 189 | return 2; /* busy */ |
190 | 190 | ||
191 | spin_lock(&fi->lock); | 191 | spin_lock(&fi->lock); |
192 | li = fi->local_int[cpu_addr]; | 192 | if (cpu_addr < KVM_MAX_VCPUS) |
193 | li = fi->local_int[cpu_addr]; | ||
193 | 194 | ||
194 | if ((cpu_addr >= KVM_MAX_VCPUS) || (li == NULL)) { | 195 | if (li == NULL) { |
195 | rc = 1; /* incorrect state */ | 196 | rc = 1; /* incorrect state */ |
196 | *reg &= SIGP_STAT_INCORRECT_STATE; | 197 | *reg &= SIGP_STAT_INCORRECT_STATE; |
197 | kfree(inti); | 198 | kfree(inti); |