From patchwork Thu Jan 21 10:56:03 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christian Borntraeger <borntraeger@de.ibm.com>
X-Patchwork-Id: 74312
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by demeter.kernel.org (8.14.3/8.14.2) with ESMTP id o0LAuGJH022963
	for <patchwork-kvm@patchwork.kernel.org>;
	Thu, 21 Jan 2010 10:56:16 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753769Ab0AUK4O (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Thu, 21 Jan 2010 05:56:14 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751961Ab0AUK4N
	(ORCPT <rfc822;kvm-outgoing>); Thu, 21 Jan 2010 05:56:13 -0500
Received: from mtagate1.uk.ibm.com ([194.196.100.161]:35226 "EHLO
	mtagate1.uk.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751492Ab0AUK4I (ORCPT <rfc822; kvm@vger.kernel.org>);
	Thu, 21 Jan 2010 05:56:08 -0500
Received: from d06nrmr1806.portsmouth.uk.ibm.com
	(d06nrmr1806.portsmouth.uk.ibm.com [9.149.39.193])
	by mtagate1.uk.ibm.com (8.13.1/8.13.1) with ESMTP id o0LAu6ON000811
	for <kvm@vger.kernel.org>; Thu, 21 Jan 2010 10:56:06 GMT
Received: from d06av01.portsmouth.uk.ibm.com (d06av01.portsmouth.uk.ibm.com
	[9.149.37.212])
	by d06nrmr1806.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with
	ESMTP id o0LAu6Kq1134776
	for <kvm@vger.kernel.org>; Thu, 21 Jan 2010 10:56:06 GMT
Received: from d06av01.portsmouth.uk.ibm.com (loopback [127.0.0.1])
	by d06av01.portsmouth.uk.ibm.com (8.12.11.20060308/8.13.3) with ESMTP
	id o0LAu56Y012653
	for <kvm@vger.kernel.org>; Thu, 21 Jan 2010 10:56:05 GMT
Received: from cborntra.localnet (sig-9-146-218-97.de.ibm.com [9.146.218.97])
	by d06av01.portsmouth.uk.ibm.com (8.12.11.20060308/8.12.11) with
	ESMTP id o0LAu4HA012634
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 21 Jan 2010 10:56:05 GMT
From: Christian Borntraeger <borntraeger@de.ibm.com>
Organization: IBM
To: Marcelo Tosatti <mtosatti@redhat.com>, Avi Kivity <avi@redhat.com>
Subject: [PATCH] kvm-s390: fix potential array overrun in intercept handling
Date: Thu, 21 Jan 2010 11:56:03 +0100
User-Agent: KMail/1.12.4 (Linux/2.6.33-rc4-self-00399-g24bc734; KDE/4.3.4;
	x86_64; ; )
Cc: kvm@vger.kernel.org, Martin Schwidefsky <schwidefsky@de.ibm.com>,
	Heiko Carstens <heiko.carstens@de.ibm.com>, cotte@de.ibm.com
MIME-Version: 1.0
Message-Id: <201001211156.03669.borntraeger@de.ibm.com>
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org


Index: linux-2.6/arch/s390/kvm/intercept.c
===================================================================
--- linux-2.6.orig/arch/s390/kvm/intercept.c
+++ linux-2.6/arch/s390/kvm/intercept.c
@@ -208,32 +208,32 @@ static int handle_instruction_and_prog(s
 
 	if (rc == -ENOTSUPP)
 		vcpu->arch.sie_block->icptcode = 0x04;
 	if (rc)
 		return rc;
 	return rc2;
 }
 
-static const intercept_handler_t intercept_funcs[0x48 >> 2] = {
+static const intercept_handler_t intercept_funcs[(0x28 >> 2) + 1] = {
 	[0x00 >> 2] = handle_noop,
 	[0x04 >> 2] = handle_instruction,
 	[0x08 >> 2] = handle_prog,
 	[0x0C >> 2] = handle_instruction_and_prog,
 	[0x10 >> 2] = handle_noop,
 	[0x14 >> 2] = handle_noop,
 	[0x1C >> 2] = kvm_s390_handle_wait,
 	[0x20 >> 2] = handle_validity,
 	[0x28 >> 2] = handle_stop,
 };
 
 int kvm_handle_sie_intercept(struct kvm_vcpu *vcpu)
 {
 	intercept_handler_t func;
 	u8 code = vcpu->arch.sie_block->icptcode;
 
-	if (code & 3 || code > 0x48)
+	if (code & 3 || code > 0x28)
 		return -ENOTSUPP;
 	func = intercept_funcs[code >> 2];
 	if (func)
 		return func(vcpu);
 	return -ENOTSUPP;
 }