github/acrn-hypervisor
1
0
Fork 0
mirror of https://github.com/projectacrn/acrn-hypervisor.git synced 2025-06-20 20:53:46 +00:00
Code Issues Projects Releases Wiki Activity

hv: fix possible buffer overflow in vlapic.c

Browse Source 
Possible buffer overflow will happen in vlapic_set_tmr()
  and vlapic_update_ppr(),this path is to fix them.

Tracked-On: #1252
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
This commit is contained in:
Yonghua Huang 2019-04-23 01:03:03 +08:00 committed by wenlingz
parent a3a77c7123
commit 7bcfebc55f
1 changed files with 5 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
hypervisor/arch/x86/guest/vlapic.c
View File

@ -462,11 +462,11 @@ vlapic_set_tmr(struct acrn_vlapic *vlapic, uint32_t vector, bool level)
lapic = &(vlapic->apic_page);
tmrptr = &lapic->tmr[0];
if (level) {
if (!bitmap32_test_and_set_lock((uint16_t)(vector & 0x1fU), &tmrptr[vector >> 5U].v)) {
if (!bitmap32_test_and_set_lock((uint16_t)(vector & 0x1fU), &tmrptr[(vector & 0xffU) >> 5U].v)) {
vcpu_set_eoi_exit_bitmap(vlapic->vcpu, vector);
}
} else {
if (bitmap32_test_and_clear_lock((uint16_t)(vector & 0x1fU), &tmrptr[vector >> 5U].v)) {
if (bitmap32_test_and_clear_lock((uint16_t)(vector & 0x1fU), &tmrptr[(vector & 0xffU) >> 5U].v)) {
vcpu_clear_eoi_exit_bitmap(vlapic->vcpu, vector);
}
}
@ -875,12 +875,10 @@ vlapic_update_ppr(struct acrn_vlapic *vlapic)
isrptr = &(vlapic->apic_page.isr[0]);
for (vector = 0U; vector < 256U; vector++) {
idx = vector >> 5U;
if ((isrptr[idx].v & (1U << (vector & 0x1fU)))
!= 0U) {
if (((isrptr[idx].v & (1U << (vector & 0x1fU))) != 0U)
&& (i < ISRVEC_STK_SIZE)) {
isrvec = (uint32_t)vlapic->isrvec_stk[i];
if ((i > vlapic->isrvec_stk_top) ||
((i < ISRVEC_STK_SIZE) &&
(isrvec != vector))) {
if ((i > vlapic->isrvec_stk_top) || (isrvec != vector)) {
dump_isrvec_stk(vlapic);
panic("ISR and isrvec_stk out of sync");
}