github/acrn-hypervisor
1
0
Fork 0
mirror of https://github.com/projectacrn/acrn-hypervisor.git synced 2025-06-21 21:19:35 +00:00
Code Issues Projects Releases Wiki Activity

hv: fix possible buffer overflow in vlapic.c

Browse Source 
Possible buffer overflow will happen in vlapic_set_tmr()
  and vlapic_update_ppr(),this path is to fix them.

Tracked-On: #1252
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
This commit is contained in:
Yonghua Huang 2019-04-23 01:03:03 +08:00 committed by wenlingz
parent a3a77c7123
commit 7bcfebc55f
1 changed files with 5 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
hypervisor/arch/x86/guest/vlapic.c
View File

@ -462,11 +462,11 @@ vlapic_set_tmr(struct acrn_vlapic *vlapic, uint32_t vector, bool level)
lapic = &(vlapic->apic_page); lapic = &(vlapic->apic_page);
tmrptr = &lapic->tmr[0]; tmrptr = &lapic->tmr[0];
if (level) { if (level) {
if (!bitmap32_test_and_set_lock((uint16_t)(vector & 0x1fU), &tmrptr[vector >> 5U].v)) { if (!bitmap32_test_and_set_lock((uint16_t)(vector & 0x1fU), &tmrptr[(vector & 0xffU) >> 5U].v)) {
vcpu_set_eoi_exit_bitmap(vlapic->vcpu, vector); vcpu_set_eoi_exit_bitmap(vlapic->vcpu, vector);
} }
} else { } else {
if (bitmap32_test_and_clear_lock((uint16_t)(vector & 0x1fU), &tmrptr[vector >> 5U].v)) { if (bitmap32_test_and_clear_lock((uint16_t)(vector & 0x1fU), &tmrptr[(vector & 0xffU) >> 5U].v)) {
vcpu_clear_eoi_exit_bitmap(vlapic->vcpu, vector); vcpu_clear_eoi_exit_bitmap(vlapic->vcpu, vector);
} }
} }
@ -875,12 +875,10 @@ vlapic_update_ppr(struct acrn_vlapic *vlapic)
isrptr = &(vlapic->apic_page.isr[0]); isrptr = &(vlapic->apic_page.isr[0]);
for (vector = 0U; vector < 256U; vector++) { for (vector = 0U; vector < 256U; vector++) {
idx = vector >> 5U; idx = vector >> 5U;
if ((isrptr[idx].v & (1U << (vector & 0x1fU))) if (((isrptr[idx].v & (1U << (vector & 0x1fU))) != 0U)
!= 0U) { && (i < ISRVEC_STK_SIZE)) {
isrvec = (uint32_t)vlapic->isrvec_stk[i]; isrvec = (uint32_t)vlapic->isrvec_stk[i];
if ((i > vlapic->isrvec_stk_top) || if ((i > vlapic->isrvec_stk_top) || (isrvec != vector)) {
((i < ISRVEC_STK_SIZE) &&
(isrvec != vector))) {
dump_isrvec_stk(vlapic); dump_isrvec_stk(vlapic);
panic("ISR and isrvec_stk out of sync"); panic("ISR and isrvec_stk out of sync");
} }