From: Paul Mackerras <paulus@ozlabs.org>
To: kvm-ppc@vger.kernel.org
Subject: Re: [PATCH v2] kvm: mpic: limit active IRQ sources to NUM_OUTPUTS
Date: Wed, 20 Nov 2019 02:33:34 +0000 [thread overview]
Message-ID: <20191120023334.GA24617@oak.ozlabs.ibm.com> (raw)
In-Reply-To: <20191115050620.21360-1-ppandit@redhat.com>
On Fri, Nov 15, 2019 at 10:36:20AM +0530, P J P wrote:
> From: P J P <pjp@fedoraproject.org>
>
> openpic_src_write sets interrupt level 'src->output' masked with
> ILR_INTTGT_MASK(=0xFF). It's then used to index 'dst->outputs_active'
> array. With NUM_OUTPUTS=3, it may lead to OOB array access. Limit
> active IRQ sources to < NUM_OUTPUTS.
>
> Reported-by: Reno Robert <renorobert@gmail.com>
> Signed-off-by: P J P <pjp@fedoraproject.org>
> ---
> arch/powerpc/kvm/mpic.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> Update v2: limit IRQ sources to NUM_OUTPUTS
> -> https://www.spinics.net/lists/kvm-ppc/msg16554.html
>
> diff --git a/arch/powerpc/kvm/mpic.c b/arch/powerpc/kvm/mpic.c
> index fe312c160d97..fe4afd54c6e7 100644
> --- a/arch/powerpc/kvm/mpic.c
> +++ b/arch/powerpc/kvm/mpic.c
> @@ -628,7 +628,7 @@ static inline void write_IRQreg_ilr(struct openpic *opp, int n_IRQ,
> if (opp->flags & OPENPIC_FLAG_ILR) {
> struct irq_source *src = &opp->src[n_IRQ];
>
> - src->output = val & ILR_INTTGT_MASK;
> + src->output = val % NUM_OUTPUTS;
Still not right, I'm afraid, since it could leave src->output set to
3, which would lead to an out-of-bounds array access. I think it
needs to be
if (val < NUM_OUTPUTS)
src->output = val;
else
src->output = ILR_INTTGT_INT;
or something like that.
Paul.
next prev parent reply other threads:[~2019-11-20 2:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-15 5:18 [PATCH v2] kvm: mpic: limit active IRQ sources to NUM_OUTPUTS P J P
2019-11-20 2:33 ` Paul Mackerras [this message]
2019-11-20 11:12 ` P J P
2019-11-20 21:41 ` Paul Mackerras
2019-11-21 4:57 ` P J P
2019-11-27 8:36 ` P J P
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191120023334.GA24617@oak.ozlabs.ibm.com \
--to=paulus@ozlabs.org \
--cc=kvm-ppc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.