KVM: S390: fix potential array overrun in intercept handling
authorChristian Borntraeger <borntraeger@de.ibm.com>
Thu, 21 Jan 2010 11:19:07 +0000 (12:19 +0100)
committerMarcelo Tosatti <mtosatti@redhat.com>
Mon, 25 Jan 2010 14:26:39 +0000 (12:26 -0200)
kvm_handle_sie_intercept uses a jump table to get the intercept handler
for a SIE intercept. Static code analysis revealed a potential problem:
the intercept_funcs jump table was defined to contain (0x48 >> 2) entries,
but we only checked for code > 0x48 which would cause an off-by-one
array overflow if code == 0x48.

Use the compiler and ARRAY_SIZE to automatically set the limits.

Cc: stable@kernel.org
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
arch/s390/kvm/intercept.c

index ba9d8a7bc1ac93d6b41fff692ec4f3e3b2e30e9d..b40096494e469f6018146b517c54b7c5228ad7b1 100644 (file)
@@ -213,7 +213,7 @@ static int handle_instruction_and_prog(struct kvm_vcpu *vcpu)
        return rc2;
 }
 
-static const intercept_handler_t intercept_funcs[0x48 >> 2] = {
+static const intercept_handler_t intercept_funcs[] = {
        [0x00 >> 2] = handle_noop,
        [0x04 >> 2] = handle_instruction,
        [0x08 >> 2] = handle_prog,
@@ -230,7 +230,7 @@ int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu)
        intercept_handler_t func;
        u8 code = vcpu->arch.sie_block->icptcode;
 
-       if (code & 3 || code > 0x48)
+       if (code & 3 || (code >> 2) >= ARRAY_SIZE(intercept_funcs))
                return -ENOTSUPP;
        func = intercept_funcs[code >> 2];
        if (func)