--- /dev/null
+From 062d5e9b0d714f449b261bb522eadaaf6f00f438 Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Thu, 21 Jan 2010 12:19:07 +0100
+Subject: KVM: S390: fix potential array overrun in intercept handling
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit 062d5e9b0d714f449b261bb522eadaaf6f00f438 upstream.
+
+kvm_handle_sie_intercept uses a jump table to get the intercept handler
+for a SIE intercept. Static code analysis revealed a potential problem:
+the intercept_funcs jump table was defined to contain (0x48 >> 2) entries,
+but we only checked for code > 0x48 which would cause an off-by-one
+array overflow if code == 0x48.
+
+Use the compiler and ARRAY_SIZE to automatically set the limits.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/s390/kvm/intercept.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kvm/intercept.c
++++ b/arch/s390/kvm/intercept.c
+@@ -199,7 +199,7 @@ static int handle_instruction_and_prog(s
+ return rc2;
+ }
+
+-static const intercept_handler_t intercept_funcs[0x48 >> 2] = {
++static const intercept_handler_t intercept_funcs[] = {
+ [0x00 >> 2] = handle_noop,
+ [0x04 >> 2] = handle_instruction,
+ [0x08 >> 2] = handle_prog,
+@@ -216,7 +216,7 @@ int kvm_handle_sie_intercept(struct kvm_
+ intercept_handler_t func;
+ u8 code = vcpu->arch.sie_block->icptcode;
+
+- if (code & 3 || code > 0x48)
++ if (code & 3 || (code >> 2) >= ARRAY_SIZE(intercept_funcs))
+ return -ENOTSUPP;
+ func = intercept_funcs[code >> 2];
+ if (func)
projects / thirdparty / kernel / stable-queue.git / commitdiff
