From 7bcfebc55f3529c66b402097ffa3d27c1836a9cc Mon Sep 17 00:00:00 2001 From: Yonghua Huang Date: Tue, 23 Apr 2019 01:03:03 +0800 Subject: [PATCH] hv: fix possible buffer overflow in vlapic.c Possible buffer overflow will happen in vlapic_set_tmr() and vlapic_update_ppr(),this path is to fix them. Tracked-On: #1252 Signed-off-by: Yonghua Huang Acked-by: Eddie Dong --- hypervisor/arch/x86/guest/vlapic.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/hypervisor/arch/x86/guest/vlapic.c b/hypervisor/arch/x86/guest/vlapic.c index 6660d4bb6..a5853f99a 100644 --- a/hypervisor/arch/x86/guest/vlapic.c +++ b/hypervisor/arch/x86/guest/vlapic.c @@ -462,11 +462,11 @@ vlapic_set_tmr(struct acrn_vlapic *vlapic, uint32_t vector, bool level) lapic = &(vlapic->apic_page); tmrptr = &lapic->tmr[0]; if (level) { - if (!bitmap32_test_and_set_lock((uint16_t)(vector & 0x1fU), &tmrptr[vector >> 5U].v)) { + if (!bitmap32_test_and_set_lock((uint16_t)(vector & 0x1fU), &tmrptr[(vector & 0xffU) >> 5U].v)) { vcpu_set_eoi_exit_bitmap(vlapic->vcpu, vector); } } else { - if (bitmap32_test_and_clear_lock((uint16_t)(vector & 0x1fU), &tmrptr[vector >> 5U].v)) { + if (bitmap32_test_and_clear_lock((uint16_t)(vector & 0x1fU), &tmrptr[(vector & 0xffU) >> 5U].v)) { vcpu_clear_eoi_exit_bitmap(vlapic->vcpu, vector); } } @@ -875,12 +875,10 @@ vlapic_update_ppr(struct acrn_vlapic *vlapic) isrptr = &(vlapic->apic_page.isr[0]); for (vector = 0U; vector < 256U; vector++) { idx = vector >> 5U; - if ((isrptr[idx].v & (1U << (vector & 0x1fU))) - != 0U) { + if (((isrptr[idx].v & (1U << (vector & 0x1fU))) != 0U) + && (i < ISRVEC_STK_SIZE)) { isrvec = (uint32_t)vlapic->isrvec_stk[i]; - if ((i > vlapic->isrvec_stk_top) || - ((i < ISRVEC_STK_SIZE) && - (isrvec != vector))) { + if ((i > vlapic->isrvec_stk_top) || (isrvec != vector)) { dump_isrvec_stk(vlapic); panic("ISR and isrvec_stk out of sync"); }