xen, cpu_hotplug: Prevent an out of bounds access

commit 201676095dda7e5b31a5e1d116d10fc22985075e upstream.

The "cpu" variable comes from the sscanf() so Smatch marks it as
untrusted data.  We can't pass a higher value than "nr_cpu_ids" to
cpu_possible() or it results in an out of bounds access.

Fixes: d68d82afd4c8 ("xen: implement CPU hotplugging")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/drivers/xen/cpu_hotplug.c b/drivers/xen/cpu_hotplug.c
index cc6513a176b0b07ea25990a8470f3d8ee907f507..3a69af6f071807a2b8f6d73ad96bd5cf847e9aa1 100644 (file)
--- a/drivers/xen/cpu_hotplug.c
+++ b/drivers/xen/cpu_hotplug.c
@@ -47,7 +47,7 @@ static int vcpu_online(unsigned int cpu)
 }
 static void vcpu_hotplug(unsigned int cpu)
 {
-       if (!cpu_possible(cpu))
+       if (cpu >= nr_cpu_ids || !cpu_possible(cpu))
                return;
 
        switch (vcpu_online(cpu)) {