From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 10 May 2017 19:43:17 +0000 (+0300)
Subject: kvm: nVMX: off by one in vmx_write_pml_buffer()
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=4769886baf39b6a307eb8f9e39848823ca6c5939;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git

kvm: nVMX: off by one in vmx_write_pml_buffer()

There are PML_ENTITY_NUM elements in the pml_address[] array so the >
should be >= or we write beyond the end of the array when we do:

	pml_address[vmcs12->guest_pml_index--] = gpa;

Fixes: c5f983f6e845 ("nVMX: Implement emulated Page Modification Logging")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
---

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index c6f4ad44aa95..7698e8f321bf 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
 		if (!nested_cpu_has_pml(vmcs12))
 			return 0;
 
-		if (vmcs12->guest_pml_index > PML_ENTITY_NUM) {
+		if (vmcs12->guest_pml_index >= PML_ENTITY_NUM) {
 			vmx->nested.pml_full = true;
 			return 1;
 		}