From: Avi Kivity <avi@redhat.com>
To: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>,
kvm@vger.kernel.org, Martin Schwidefsky <schwidefsky@de.ibm.com>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
cotte@de.ibm.com
Subject: Re: [PATCH] kvm-s390: fix potential array overrun in intercept handling
Date: Thu, 21 Jan 2010 13:00:19 +0200 [thread overview]
Message-ID: <4B5833C3.8070908@redhat.com> (raw)
In-Reply-To: <201001211156.03669.borntraeger@de.ibm.com>
On 01/21/2010 12:56 PM, Christian Borntraeger wrote:
> Avi, Marcelo,
>
> kvm_handle_sie_intercept uses a jump table to get the intercept handler
> for a SIE intercept. Static code analysis revealed a potential problem:
> the intercept_funcs jump table was defined to contain (0x48>> 2) entries,
> but we only checked for code> 0x48 which would cause an off-by-one
> array overflow if code == 0x48.
>
> Since the table is only populated up to (0x28>> 2), we can reduce the
> jump table size while fixing the off-by-one.
>
>
>
> -static const intercept_handler_t intercept_funcs[0x48>> 2] = {
> +static const intercept_handler_t intercept_funcs[(0x28>> 2) + 1] = {
> [0x00>> 2] = handle_noop,
> [0x04>> 2] = handle_instruction,
> [0x08>> 2] = handle_prog,
> [0x0C>> 2] = handle_instruction_and_prog,
> [0x10>> 2] = handle_noop,
> [0x14>> 2] = handle_noop,
> [0x1C>> 2] = kvm_s390_handle_wait,
> [0x20>> 2] = handle_validity,
> [0x28>> 2] = handle_stop,
> };
>
You can define the array without a size to let the compiler figure out
the minimum size.
>
> int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu)
> {
> intercept_handler_t func;
> u8 code = vcpu->arch.sie_block->icptcode;
>
> - if (code& 3 || code> 0x48)
> + if (code& 3 || code> 0x28)
> return -ENOTSUPP;
>
And here, check against ARRAY_SIZE() instead of a magic number.
--
error compiling committee.c: too many arguments to function
next prev parent reply other threads:[~2010-01-21 11:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-21 10:56 [PATCH] kvm-s390: fix potential array overrun in intercept handling Christian Borntraeger
2010-01-21 11:00 ` Avi Kivity [this message]
2010-01-21 11:19 ` [PATCHv2] " Christian Borntraeger
2010-01-21 11:24 ` Heiko Carstens
2010-01-21 11:32 ` Christian Borntraeger
2010-01-21 17:36 ` Marcelo Tosatti
2010-01-21 23:15 ` Alexander Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B5833C3.8070908@redhat.com \
--to=avi@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=cotte@de.ibm.com \
--cc=heiko.carstens@de.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=mtosatti@redhat.com \
--cc=schwidefsky@de.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox