From 877ce914a239f536fdfe51107e9efd5945e2f947 Mon Sep 17 00:00:00 2001 From: Tianhua Sun Date: Fri, 5 Jul 2019 09:51:40 +0800 Subject: [PATCH] hv: fix some potential array overflow risk 'pcpu_id' should be less than CONFIG_MAX_PCPU_NUM, else 'per_cpu_data' will overflow. This commit fixes this potential overflow issue. Tracked-On: #3407 Signed-off-by: Tianhua Sun Reviewed-by: Yonghua Huang --- hypervisor/arch/x86/lapic.c | 2 +- hypervisor/arch/x86/notify.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hypervisor/arch/x86/lapic.c b/hypervisor/arch/x86/lapic.c index 1774dd708..df76348d1 100644 --- a/hypervisor/arch/x86/lapic.c +++ b/hypervisor/arch/x86/lapic.c @@ -254,7 +254,7 @@ void send_dest_ipi_mask(uint32_t dest_mask, uint32_t vector) pcpu_id = ffs64(mask); - while (pcpu_id != INVALID_BIT_INDEX) { + while (pcpu_id < CONFIG_MAX_PCPU_NUM) { bitmap32_clear_nolock(pcpu_id, &mask); if (bitmap_test(pcpu_id, &pcpu_active_bitmap)) { icr.value_32.hi_32 = per_cpu(lapic_id, pcpu_id); diff --git a/hypervisor/arch/x86/notify.c b/hypervisor/arch/x86/notify.c index 7e3ef679d..820a51aec 100644 --- a/hypervisor/arch/x86/notify.c +++ b/hypervisor/arch/x86/notify.c @@ -37,7 +37,7 @@ void smp_call_function(uint64_t mask, smp_call_func_t func, void *data) /* wait for previous smp call complete, which may run on other cpus */ while (atomic_cmpxchg64(&smp_call_mask, 0UL, mask & INVALID_BIT_INDEX) != 0UL); pcpu_id = ffs64(mask); - while (pcpu_id != INVALID_BIT_INDEX) { + while (pcpu_id < CONFIG_MAX_PCPU_NUM) { bitmap_clear_nolock(pcpu_id, &mask); if (bitmap_test(pcpu_id, &pcpu_active_bitmap)) { smp_call = &per_cpu(smp_call_info, pcpu_id);