From d6f7288580a358a37812024a79dfd1d6d9633ce2 Mon Sep 17 00:00:00 2001 From: Tianhua Sun Date: Fri, 5 Jul 2019 09:51:40 +0800 Subject: [PATCH] hv: fix some potential array overflow risk 'pcpu_id' should be less than CONFIG_MAX_PCPU_NUM, else 'per_cpu_data' will overflow. This commit fixes this potential overflow issue. Tracked-On: #3397 Signed-off-by: Tianhua Sun Reviewed-by: Yonghua Huang --- hypervisor/arch/x86/guest/assign.c | 2 +- hypervisor/arch/x86/lapic.c | 2 +- hypervisor/arch/x86/notify.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hypervisor/arch/x86/guest/assign.c b/hypervisor/arch/x86/guest/assign.c index 11a7bdb1e..dc0bf2225 100644 --- a/hypervisor/arch/x86/guest/assign.c +++ b/hypervisor/arch/x86/guest/assign.c @@ -66,7 +66,7 @@ static uint32_t calculate_logical_dest_mask(uint64_t pdmask) uint16_t pcpu_id; pcpu_id = ffs64(pcpu_mask); - while (pcpu_id != INVALID_BIT_INDEX) { + while (pcpu_id < CONFIG_MAX_PCPU_NUM) { bitmap_clear_nolock(pcpu_id, &pcpu_mask); dest_mask |= per_cpu(lapic_ldr, pcpu_id); pcpu_id = ffs64(pcpu_mask); diff --git a/hypervisor/arch/x86/lapic.c b/hypervisor/arch/x86/lapic.c index 3213f4a4f..46ee1cb4c 100644 --- a/hypervisor/arch/x86/lapic.c +++ b/hypervisor/arch/x86/lapic.c @@ -240,7 +240,7 @@ void send_dest_ipi_mask(uint32_t dest_mask, uint32_t vector) pcpu_id = ffs64(mask); - while (pcpu_id != INVALID_BIT_INDEX) { + while (pcpu_id < CONFIG_MAX_PCPU_NUM) { bitmap32_clear_nolock(pcpu_id, &mask); if (is_pcpu_active(pcpu_id)) { icr.value_32.hi_32 = per_cpu(lapic_id, pcpu_id); diff --git a/hypervisor/arch/x86/notify.c b/hypervisor/arch/x86/notify.c index 55cd926dd..9045293de 100644 --- a/hypervisor/arch/x86/notify.c +++ b/hypervisor/arch/x86/notify.c @@ -44,7 +44,7 @@ void smp_call_function(uint64_t mask, smp_call_func_t func, void *data) /* wait for previous smp call complete, which may run on other cpus */ while (atomic_cmpxchg64(&smp_call_mask, 0UL, mask & INVALID_BIT_INDEX) != 0UL); pcpu_id = ffs64(mask); - while (pcpu_id != INVALID_BIT_INDEX) { + while (pcpu_id < CONFIG_MAX_PCPU_NUM) { bitmap_clear_nolock(pcpu_id, &mask); if (is_pcpu_active(pcpu_id)) { smp_call = &per_cpu(smp_call_info, pcpu_id);