Commit 11b8ff5
KVM: s390: pci: fix GAIT table indexing due to double-scaling pointer arithmetic
commit 16d990a upstream.
kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and
aen_host_forward() index the GAIT by manually multiplying the index
with sizeof(struct zpci_gaite).
Since aift->gait is already a struct zpci_gaite pointer, this
double-scales the offset, accessing element aisb*16 instead of aisb.
This causes out-of-bounds accesses when aisb >= 32 (with
ZPCI_NR_DEVICES=512)
Fix by removing the erroneous sizeof multiplication.
Fixes: 3c5a1b6 ("KVM: s390: pci: provide routines for enabling/disabling interrupt forwarding")
Fixes: 73f91b0 ("KVM: s390: pci: enable host forwarding of Adapter Event Notifications")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Junrui Luo <moonafterrain@outlook.com>
Reviewed-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Tested-by: Matthew Rosato <mjrosato@linux.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>1 parent b315b03 commit 11b8ff5
2 files changed
Lines changed: 3 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3329 | 3329 | | |
3330 | 3330 | | |
3331 | 3331 | | |
3332 | | - | |
3333 | | - | |
| 3332 | + | |
3334 | 3333 | | |
3335 | 3334 | | |
3336 | 3335 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
292 | 292 | | |
293 | 293 | | |
294 | 294 | | |
295 | | - | |
296 | | - | |
| 295 | + | |
297 | 296 | | |
298 | 297 | | |
299 | 298 | | |
| |||
359 | 358 | | |
360 | 359 | | |
361 | 360 | | |
362 | | - | |
363 | | - | |
| 361 | + | |
364 | 362 | | |
365 | 363 | | |
366 | 364 | | |
| |||
0 commit comments