LoongArch: KVM: Check validity of "num_cpu" from user space

The maximum supported cpu number is EIOINTC_ROUTE_MAX_VCPUS about
irqchip EIOINTC, here add validation about cpu number to avoid array
pointer overflow.

Cc: stable@vger.kernel.org
Fixes: 1ad7efa552fd ("LoongArch: KVM: Add EIOINTC user mode read and write functions")
Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>

diff --git a/arch/loongarch/kvm/intc/eiointc.c b/arch/loongarch/kvm/intc/eiointc.c
index 644fb7785c0752f2741f0240b0a99b42897a4952..056a75f7d090ee0f8fa46ecd8de9a60cf4ea2be1 100644 (file)
--- a/arch/loongarch/kvm/intc/eiointc.c
+++ b/arch/loongarch/kvm/intc/eiointc.c
@@ -805,7 +805,7 @@ static int kvm_eiointc_ctrl_access(struct kvm_device *dev,
        int ret = 0;
        unsigned long flags;
        unsigned long type = (unsigned long)attr->attr;
-       u32 i, start_irq;
+       u32 i, start_irq, val;
        void __user *data;
        struct loongarch_eiointc *s = dev->kvm->arch.eiointc;
 
@@ -813,8 +813,14 @@ static int kvm_eiointc_ctrl_access(struct kvm_device *dev,
        spin_lock_irqsave(&s->lock, flags);
        switch (type) {
        case KVM_DEV_LOONGARCH_EXTIOI_CTRL_INIT_NUM_CPU:
-               if (copy_from_user(&s->num_cpu, data, 4))
+               if (copy_from_user(&val, data, 4))
                        ret = -EFAULT;
+               else {
+                       if (val >= EIOINTC_ROUTE_MAX_VCPUS)
+                               ret = -EINVAL;
+                       else
+                               s->num_cpu = val;
+               }
                break;
        case KVM_DEV_LOONGARCH_EXTIOI_CTRL_INIT_FEATURE:
                if (copy_from_user(&s->features, data, 4))
@@ -842,7 +848,7 @@ static int kvm_eiointc_regs_access(struct kvm_device *dev,
                                        struct kvm_device_attr *attr,
                                        bool is_write)
 {
-       int addr, cpuid, offset, ret = 0;
+       int addr, cpu, offset, ret = 0;
        unsigned long flags;
        void *p = NULL;
        void __user *data;
@@ -850,7 +856,7 @@ static int kvm_eiointc_regs_access(struct kvm_device *dev,
 
        s = dev->kvm->arch.eiointc;
        addr = attr->attr;
-       cpuid = addr >> 16;
+       cpu = addr >> 16;
        addr &= 0xffff;
        data = (void __user *)attr->addr;
        switch (addr) {
@@ -875,8 +881,11 @@ static int kvm_eiointc_regs_access(struct kvm_device *dev,
                p = &s->isr.reg_u32[offset];
                break;
        case EIOINTC_COREISR_START ... EIOINTC_COREISR_END:
+               if (cpu >= s->num_cpu)
+                       return -EINVAL;
+
                offset = (addr - EIOINTC_COREISR_START) / 4;
-               p = &s->coreisr.reg_u32[cpuid][offset];
+               p = &s->coreisr.reg_u32[cpu][offset];
                break;
        case EIOINTC_COREMAP_START ... EIOINTC_COREMAP_END:
                offset = (addr - EIOINTC_COREMAP_START) / 4;