diff options
author | Jan Kiszka <jan.kiszka@siemens.com> | 2009-10-23 03:37:00 -0400 |
---|---|---|
committer | Marcelo Tosatti <mtosatti@redhat.com> | 2009-11-04 09:42:35 -0500 |
commit | a9e38c3e01ad242fe2a625354cf065c34b01e3aa (patch) | |
tree | 4ea957d97f8d7399f1f58cfce2470f703f6d1a58 /arch/x86/kvm/x86.c | |
parent | 51bb296b09a83ee1aae025778db38f9d2cc7bb1a (diff) |
KVM: x86: Catch potential overrun in MCE setup
We only allocate memory for 32 MCE banks (KVM_MAX_MCE_BANKS) but we
allow user space to fill up to 255 on setup (mcg_cap & 0xff), corrupting
kernel memory. Catch these overflows.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Diffstat (limited to 'arch/x86/kvm/x86.c')
-rw-r--r-- | arch/x86/kvm/x86.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 9b9695322f56..8a93fa894ba6 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c | |||
@@ -1692,7 +1692,7 @@ static int kvm_vcpu_ioctl_x86_setup_mce(struct kvm_vcpu *vcpu, | |||
1692 | unsigned bank_num = mcg_cap & 0xff, bank; | 1692 | unsigned bank_num = mcg_cap & 0xff, bank; |
1693 | 1693 | ||
1694 | r = -EINVAL; | 1694 | r = -EINVAL; |
1695 | if (!bank_num) | 1695 | if (!bank_num || bank_num >= KVM_MAX_MCE_BANKS) |
1696 | goto out; | 1696 | goto out; |
1697 | if (mcg_cap & ~(KVM_MCE_CAP_SUPPORTED | 0xff | 0xff0000)) | 1697 | if (mcg_cap & ~(KVM_MCE_CAP_SUPPORTED | 0xff | 0xff0000)) |
1698 | goto out; | 1698 | goto out; |