mshv: add bounds check on vp_index in mshv_intercept_isr()

mshv_intercept_isr() extracts vp_index from the hypervisor message
payload and uses it directly to index into pt_vp_array without
validation. handle_bitset_message() and handle_pair_message() already
validate vp_index against MSHV_MAX_VPS before array access.

Add the same MSHV_MAX_VPS bounds check for consistency with the other
message handlers.

Fixes: 621191d709b1 ("Drivers: hv: Introduce mshv_root module to expose /dev/mshv to VMMs")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Signed-off-by: Wei Liu <wei.liu@kernel.org>

diff --git a/drivers/hv/mshv_synic.c b/drivers/hv/mshv_synic.c
index e2288a726fec94b3d1be485fd006d2ef3685ddc4..fe591d159766fc128c3eb23af612b5da2090fa9f 100644 (file)
--- a/drivers/hv/mshv_synic.c
+++ b/drivers/hv/mshv_synic.c
@@ -383,6 +383,11 @@ mshv_intercept_isr(struct hv_message *msg)
         */
        vp_index =
               ((struct hv_opaque_intercept_message *)msg->u.payload)->vp_index;
+       /* This shouldn't happen, but just in case. */
+       if (unlikely(vp_index >= MSHV_MAX_VPS)) {
+               pr_debug("VP index %u out of bounds\n", vp_index);
+               goto unlock_out;
+       }
        vp = partition->pt_vp_array[vp_index];
        if (unlikely(!vp)) {
                pr_debug("failed to find VP %u\n", vp_index);