hv: fix potential buffer overflow in vioapic.c

@vioapic_set_pinstate() & vioapic_need_intr(), add checking input value range for 'pin'. Tracked-On: #1479 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
2025-06-21 13:08:42 +00:00 · 2018-10-17 19:15:05 +08:00 · 2018-10-17 19:15:05 +08:00 · 102f5a0141
commit 102f5a0141
parent eb328d78ea
1 changed files with 15 additions and 4 deletions
--- a/hypervisor/dm/vioapic.c
+++ b/hypervisor/dm/vioapic.c
@ -85,8 +85,13 @@ static void
 vioapic_set_pinstate(struct acrn_vioapic *vioapic, uint16_t pin, uint32_t level)
 {
 	uint32_t old_lvl;
-	union ioapic_rte rte = vioapic->rtbl[pin];
+	union ioapic_rte rte;

+	if (pin >= REDIR_ENTRIES_HW) {
+		return;
+	}
+
+	rte = vioapic->rtbl[pin];
 	old_lvl = (uint32_t)bitmap_test(pin & 0x3FU, &vioapic->pin_state[pin >> 6U]);
 	if (level == 0U) {
 		/* clear pin_state and deliver interrupt according to polarity */
@ -245,9 +250,15 @@ vioapic_indirect_read(struct acrn_vioapic *vioapic, uint32_t addr)

 static inline bool vioapic_need_intr(struct acrn_vioapic *vioapic, uint16_t pin)
 {
-	uint32_t lvl =(uint32_t)bitmap_test(pin & 0x3FU,
-			&vioapic->pin_state[pin >> 6U]);
-	union ioapic_rte rte = vioapic->rtbl[pin];
+	uint32_t lvl;
+	union ioapic_rte rte;
+
+	if (pin >= REDIR_ENTRIES_HW) {
+		return false;
+	}
+
+	rte = vioapic->rtbl[pin];
+	lvl = (uint32_t)bitmap_test(pin & 0x3FU, &vioapic->pin_state[pin >> 6U]);

 	return !!((((rte.full & IOAPIC_RTE_INTPOL) != 0UL) && lvl == 0U) ||
 		(((rte.full & IOAPIC_RTE_INTPOL) == 0UL) && lvl != 0U));