From 102f5a01414fb1fa06bacd576f4800cca87d3fca Mon Sep 17 00:00:00 2001 From: Yonghua Huang Date: Wed, 17 Oct 2018 19:15:05 +0800 Subject: [PATCH] hv: fix potential buffer overflow in vioapic.c @vioapic_set_pinstate() & vioapic_need_intr(), add checking input value range for 'pin'. Tracked-On: #1479 Signed-off-by: Yonghua Huang Acked-by: Eddie Dong --- hypervisor/dm/vioapic.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/hypervisor/dm/vioapic.c b/hypervisor/dm/vioapic.c index 9a6ca6199..0e5b097a5 100644 --- a/hypervisor/dm/vioapic.c +++ b/hypervisor/dm/vioapic.c @@ -85,8 +85,13 @@ static void vioapic_set_pinstate(struct acrn_vioapic *vioapic, uint16_t pin, uint32_t level) { uint32_t old_lvl; - union ioapic_rte rte = vioapic->rtbl[pin]; + union ioapic_rte rte; + if (pin >= REDIR_ENTRIES_HW) { + return; + } + + rte = vioapic->rtbl[pin]; old_lvl = (uint32_t)bitmap_test(pin & 0x3FU, &vioapic->pin_state[pin >> 6U]); if (level == 0U) { /* clear pin_state and deliver interrupt according to polarity */ @@ -245,9 +250,15 @@ vioapic_indirect_read(struct acrn_vioapic *vioapic, uint32_t addr) static inline bool vioapic_need_intr(struct acrn_vioapic *vioapic, uint16_t pin) { - uint32_t lvl =(uint32_t)bitmap_test(pin & 0x3FU, - &vioapic->pin_state[pin >> 6U]); - union ioapic_rte rte = vioapic->rtbl[pin]; + uint32_t lvl; + union ioapic_rte rte; + + if (pin >= REDIR_ENTRIES_HW) { + return false; + } + + rte = vioapic->rtbl[pin]; + lvl = (uint32_t)bitmap_test(pin & 0x3FU, &vioapic->pin_state[pin >> 6U]); return !!((((rte.full & IOAPIC_RTE_INTPOL) != 0UL) && lvl == 0U) || (((rte.full & IOAPIC_RTE_INTPOL) == 0UL) && lvl != 0U));