From 00b47df9690f2d80b34d5f495babc41e1e6eda5e Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue, 26 Jan 2010 11:06:09 -0800
Subject: [PATCH] another .27 patch

---
 ...-array-overrun-in-intercept-handling.patch | 45 +++++++++++++++++++
 queue-2.6.27/series                           |  1 +
 2 files changed, 46 insertions(+)
 create mode 100644 queue-2.6.27/kvm-s390-fix-potential-array-overrun-in-intercept-handling.patch

diff --git a/queue-2.6.27/kvm-s390-fix-potential-array-overrun-in-intercept-handling.patch b/queue-2.6.27/kvm-s390-fix-potential-array-overrun-in-intercept-handling.patch
new file mode 100644
index 00000000000..7a848367569
--- /dev/null
+++ b/queue-2.6.27/kvm-s390-fix-potential-array-overrun-in-intercept-handling.patch
@@ -0,0 +1,45 @@
+From 062d5e9b0d714f449b261bb522eadaaf6f00f438 Mon Sep 17 00:00:00 2001
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+Date: Thu, 21 Jan 2010 12:19:07 +0100
+Subject: KVM: S390: fix potential array overrun in intercept handling
+
+From: Christian Borntraeger <borntraeger@de.ibm.com>
+
+commit 062d5e9b0d714f449b261bb522eadaaf6f00f438 upstream.
+
+kvm_handle_sie_intercept uses a jump table to get the intercept handler
+for a SIE intercept. Static code analysis revealed a potential problem:
+the intercept_funcs jump table was defined to contain (0x48 >> 2) entries,
+but we only checked for code > 0x48 which would cause an off-by-one
+array overflow if code == 0x48.
+
+Use the compiler and ARRAY_SIZE to automatically set the limits.
+
+Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/s390/kvm/intercept.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/s390/kvm/intercept.c
++++ b/arch/s390/kvm/intercept.c
+@@ -199,7 +199,7 @@ static int handle_instruction_and_prog(s
+ 	return rc2;
+ }
+ 
+-static const intercept_handler_t intercept_funcs[0x48 >> 2] = {
++static const intercept_handler_t intercept_funcs[] = {
+ 	[0x00 >> 2] = handle_noop,
+ 	[0x04 >> 2] = handle_instruction,
+ 	[0x08 >> 2] = handle_prog,
+@@ -216,7 +216,7 @@ int kvm_handle_sie_intercept(struct kvm_
+ 	intercept_handler_t func;
+ 	u8 code = vcpu->arch.sie_block->icptcode;
+ 
+-	if (code & 3 || code > 0x48)
++	if (code & 3 || (code >> 2) >= ARRAY_SIZE(intercept_funcs))
+ 		return -ENOTSUPP;
+ 	func = intercept_funcs[code >> 2];
+ 	if (func)
diff --git a/queue-2.6.27/series b/queue-2.6.27/series
index 57ff925b37e..dc170a65b36 100644
--- a/queue-2.6.27/series
+++ b/queue-2.6.27/series
@@ -8,3 +8,4 @@ usb-add-missing-delay-during-remote-wakeup.patch
 usb-ehci-fix-handling-of-unusual-interrupt-intervals.patch
 usb-ehci-uhci-fix-race-between-root-hub-suspend-and-port-resume.patch
 ipc-ns-fix-memory-leak-idr.patch
+kvm-s390-fix-potential-array-overrun-in-intercept-handling.patch
-- 
2.47.3