hv: fix possible buffer overflow in 'vcpu_set_eoi_exit()'

yonghuah · wenlingz · commit ee066a7f1ce7 · 2019-01-25T11:26:45.000+08:00
'vector' should be no greater than 0xff,else 'eoi_exit_bitmap[]' will overflow. Tracked-On: #1252 Signed-off-by: Yonghua Huang <yonghua.huang@intel.com> Acked-by: Eddie Dong <eddie.dong@intel.com>
diff --git a/hypervisor/arch/x86/guest/vcpu.c b/hypervisor/arch/x86/guest/vcpu.c
@@ -145,7 +145,7 @@ void vcpu_set_eoi_exit(struct acrn_vcpu *vcpu, uint32_t vector)
 	pr_dbg("%s", __func__);
 
 	if (bitmap_test_and_set_nolock((uint16_t)(vector & 0x3fU),
-			&(vcpu->arch.eoi_exit_bitmap[vector >> 6U]))) {
+			&(vcpu->arch.eoi_exit_bitmap[(vector & 0xffU) >> 6U]))) {
 		pr_warn("Duplicated vector %u vcpu%u", vector, vcpu->vcpu_id);
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -145,7 +145,7 @@ void vcpu_set_eoi_exit(struct acrn_vcpu *vcpu, uint32_t vector)`
`145`	`145`	`pr_dbg("%s", __func__);`
`146`	`146`
`147`	`147`	`if (bitmap_test_and_set_nolock((uint16_t)(vector & 0x3fU),`
`148`		`- &(vcpu->arch.eoi_exit_bitmap[vector >> 6U]))) {`
	`148`	`+ &(vcpu->arch.eoi_exit_bitmap[(vector & 0xffU) >> 6U]))) {`
`149`	`149`	`pr_warn("Duplicated vector %u vcpu%u", vector, vcpu->vcpu_id);`
`150`	`150`	`}`
`151`	`151`	`}`