aboutsummaryrefslogtreecommitdiffstats
path: root/arch/x86/kvm/x86.c
diff options
context:
space:
mode:
authorJan Kiszka <jan.kiszka@siemens.com>2009-10-23 03:37:00 -0400
committerMarcelo Tosatti <mtosatti@redhat.com>2009-11-04 09:42:35 -0500
commita9e38c3e01ad242fe2a625354cf065c34b01e3aa (patch)
tree4ea957d97f8d7399f1f58cfce2470f703f6d1a58 /arch/x86/kvm/x86.c
parent51bb296b09a83ee1aae025778db38f9d2cc7bb1a (diff)
KVM: x86: Catch potential overrun in MCE setup
We only allocate memory for 32 MCE banks (KVM_MAX_MCE_BANKS) but we allow user space to fill up to 255 on setup (mcg_cap & 0xff), corrupting kernel memory. Catch these overflows. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Diffstat (limited to 'arch/x86/kvm/x86.c')
-rw-r--r--arch/x86/kvm/x86.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 9b9695322f56..8a93fa894ba6 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1692,7 +1692,7 @@ static int kvm_vcpu_ioctl_x86_setup_mce(struct kvm_vcpu *vcpu,
1692 unsigned bank_num = mcg_cap & 0xff, bank; 1692 unsigned bank_num = mcg_cap & 0xff, bank;
1693 1693
1694 r = -EINVAL; 1694 r = -EINVAL;
1695 if (!bank_num) 1695 if (!bank_num || bank_num >= KVM_MAX_MCE_BANKS)
1696 goto out; 1696 goto out;
1697 if (mcg_cap & ~(KVM_MCE_CAP_SUPPORTED | 0xff | 0xff0000)) 1697 if (mcg_cap & ~(KVM_MCE_CAP_SUPPORTED | 0xff | 0xff0000))
1698 goto out; 1698 goto out;