Skip to content

Commit

Permalink
HV:fix potential buffer overflow issues
Browse files Browse the repository at this point in the history 
 - use sizeof(struct lapic_regs),instead of arbitrary size
   to lear 'apic_page' memory region in vlapic.c
 - fix potential buffer overflow issues in vpic.c & ioapic.c

Tracked-On: #1252
Signed-off-by: Yonghua Huang <yonghua.huang@intel.com>
Acked-by: Eddie Dong <eddie.dong@intel.com>
  • Loading branch information
@yonghuah @lijinxia
yonghuah authored and lijinxia committed Sep 18, 2018
1 parent b501ce4 commit 994a375
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 105 deletions.
2 changes: 1 addition & 1 deletion hypervisor/arch/x86/guest/vlapic.c
View file
Expand Up @@ -1562,7 +1562,7 @@ vlapic_reset(struct acrn_vlapic *vlapic)
struct lapic_regs *lapic;

lapic = &(vlapic->apic_page);
(void)memset((void *)lapic, 0U, CPU_PAGE_SIZE);
(void)memset((void *)lapic, 0U, sizeof(struct lapic_regs));
(void)memset((void *)&(vlapic->pir_desc), 0U, sizeof(vlapic->pir_desc));

lapic->id.v = vlapic_build_id(vlapic);
Expand Down
7 changes: 5 additions & 2 deletions hypervisor/arch/x86/ioapic.c
View file
Expand Up @@ -289,14 +289,17 @@ uint32_t pin_to_irq(uint8_t pin)
void
irq_gsi_mask_unmask(uint32_t irq, bool mask)
{
void *addr = gsi_table[irq].addr;
uint8_t pin = gsi_table[irq].pin;
void *addr;
uint8_t pin;
union ioapic_rte rte;

if (!irq_is_gsi(irq)) {
return;
}

addr = gsi_table[irq].addr;
pin = gsi_table[irq].pin;

ioapic_get_rte_entry(addr, pin, &rte);
if (mask) {
rte.full |= IOAPIC_RTE_INTMSET;
Expand Down
8 changes: 8 additions & 0 deletions hypervisor/dm/vpic.c
View file
Expand Up @@ -412,6 +412,10 @@ static void vpic_set_pinstate(struct acrn_vpic *vpic, uint8_t pin, bool newstate
int oldcnt, newcnt;
bool level;

if (pin >= NR_VPIC_PINS_TOTAL) {
return;
}

i8259 = &vpic->i8259[pin >> 3U];

oldcnt = i8259->acnt[pin & 0x7U];
Expand Down Expand Up @@ -457,6 +461,10 @@ static void vpic_set_irqstate(struct vm *vm, uint32_t irq,
struct i8259_reg_state *i8259;
uint8_t pin;

if (irq >= NR_VPIC_PINS_TOTAL) {
return;
}

vpic = vm_pic(vm);
i8259 = &vpic->i8259[irq >> 3U];
pin = (uint8_t)irq;
Expand Down
130 changes: 28 additions & 102 deletions hypervisor/include/arch/x86/apicreg.h
View file
Expand Up @@ -33,83 +33,6 @@
* Local && I/O APIC definitions.
*/

/*
* Pentium P54C+ Built-in APIC
* (Advanced programmable Interrupt Controller)
*
* Base Address of Built-in APIC in memory location
* is 0xfee00000.
*
* Map of APIC Registers:
*
* Offset (hex) Description Read/Write state
* 000 Reserved
* 010 Reserved
* 020 ID Local APIC ID R/W
* 030 VER Local APIC Version R
* 040 Reserved
* 050 Reserved
* 060 Reserved
* 070 Reserved
* 080 Task Priority Register R/W
* 090 Arbitration Priority Register R
* 0A0 Processor Priority Register R
* 0B0 EOI Register W
* 0C0 RRR Remote read R
* 0D0 Logical Destination R/W
* 0E0 Destination Format Register 0..27 R; 28..31 R/W
* 0F0 SVR Spurious Interrupt Vector Reg. 0..3 R; 4..9 R/W
* 100 ISR 000-031 R
* 110 ISR 032-063 R
* 120 ISR 064-095 R
* 130 ISR 095-128 R
* 140 ISR 128-159 R
* 150 ISR 160-191 R
* 160 ISR 192-223 R
* 170 ISR 224-255 R
* 180 TMR 000-031 R
* 190 TMR 032-063 R
* 1A0 TMR 064-095 R
* 1B0 TMR 095-128 R
* 1C0 TMR 128-159 R
* 1D0 TMR 160-191 R
* 1E0 TMR 192-223 R
* 1F0 TMR 224-255 R
* 200 IRR 000-031 R
* 210 IRR 032-063 R
* 220 IRR 064-095 R
* 230 IRR 095-128 R
* 240 IRR 128-159 R
* 250 IRR 160-191 R
* 260 IRR 192-223 R
* 270 IRR 224-255 R
* 280 Error Status Register R
* 290 Reserved
* 2A0 Reserved
* 2B0 Reserved
* 2C0 Reserved
* 2D0 Reserved
* 2E0 Reserved
* 2F0 Local Vector Table (CMCI) R/W
* 300 ICR_LOW Interrupt Command Reg. (0-31) R/W
* 310 ICR_HI Interrupt Command Reg. (32-63) R/W
* 320 Local Vector Table (Timer) R/W
* 330 Local Vector Table (Thermal) R/W (PIV+)
* 340 Local Vector Table (Performance) R/W (P6+)
* 350 LVT1 Local Vector Table (LINT0) R/W
* 360 LVT2 Local Vector Table (LINT1) R/W
* 370 LVT3 Local Vector Table (ERROR) R/W
* 380 Initial Count Reg. for Timer R/W
* 390 Current Count of Timer R
* 3A0 Reserved
* 3B0 Reserved
* 3C0 Reserved
* 3D0 Reserved
* 3E0 Timer Divide Configuration Reg. R/W
* 3F0 Reserved
*/


/******************************************************************************
* global defines, etc.
*/
Expand All @@ -123,33 +46,36 @@ struct lapic_reg {
uint32_t pad[3];
};

struct lapic_regs {
struct lapic_regs { /*OFFSET(Hex)*/
struct lapic_reg rsv0[2];
struct lapic_reg id;
struct lapic_reg version;
struct lapic_reg id; /*020*/
struct lapic_reg version; /*030*/
struct lapic_reg rsv1[4];
struct lapic_reg tpr;
struct lapic_reg apr;
struct lapic_reg ppr;
struct lapic_reg eoi;
struct lapic_reg rsv2;
struct lapic_reg ldr;
struct lapic_reg dfr;
struct lapic_reg svr;
struct lapic_reg isr[8];
struct lapic_reg tmr[8];
struct lapic_reg irr[8];
struct lapic_reg esr;
struct lapic_reg rsv3[6];
struct lapic_reg lvt_cmci;
struct lapic_reg icr_lo;
struct lapic_reg icr_hi;
struct lapic_reg lvt[6];
struct lapic_reg icr_timer;
struct lapic_reg ccr_timer;
struct lapic_reg rsv4[4];
struct lapic_reg dcr_timer;
struct lapic_reg rsv5;
struct lapic_reg tpr; /*080*/
struct lapic_reg apr; /*090*/
struct lapic_reg ppr; /*0A0*/
struct lapic_reg eoi; /*0B0*/
struct lapic_reg rrd; /*0C0*/
struct lapic_reg ldr; /*0D0*/
struct lapic_reg dfr; /*0EO*/
struct lapic_reg svr; /*0F0*/
struct lapic_reg isr[8]; /*100 -- 170*/
struct lapic_reg tmr[8]; /*180 -- 1F0*/
struct lapic_reg irr[8]; /*200 -- 270*/
struct lapic_reg esr; /*280*/
struct lapic_reg rsv2[6];
struct lapic_reg lvt_cmci; /*2F0*/
struct lapic_reg icr_lo; /*300*/
struct lapic_reg icr_hi; /*310*/
struct lapic_reg lvt[6]; /*320 -- 370*/
struct lapic_reg icr_timer;/*380*/
struct lapic_reg ccr_timer;/*390*/
struct lapic_reg rsv3[4];
struct lapic_reg dcr_timer;/*3E0*/
struct lapic_reg rsv4;

/*roundup sizeof current struct to 4KB*/
struct lapic_reg rsv5[192]; /*400 -- FF0*/
} __aligned(CPU_PAGE_SIZE);

enum LAPIC_REGISTERS {
Expand Down

0 comments on commit 994a375

Please sign in to comment.