[V3] x86/monitor: Fixed CID 1412966: Memory - corruptions (OVERRUN)

Commit Message

Razvan Cojocaru June 21, 2017, 4:37 p.m. UTC

Fixed an issue where the maximum index allowed (31) goes beyond the
actual number of array elements (4) of ad->monitor.write_ctrlreg_mask.
Coverity-ID: 1412966

Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>

---
Changes since V2:
 - Removed stale comment.
 - Indentation.
 - Added Reviewed-by.
---
 xen/arch/x86/monitor.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Patch

diff --git a/xen/arch/x86/monitor.c b/xen/arch/x86/monitor.c
index bedf13c..764195a 100644
--- a/xen/arch/x86/monitor.c
+++ b/xen/arch/x86/monitor.c
@@ -132,8 +132,8 @@  int arch_monitor_domctl_event(struct domain *d,
         unsigned int ctrlreg_bitmask;
         bool_t old_status;
 
-        /* sanity check: avoid left-shift undefined behavior */
-        if ( unlikely(mop->u.mov_to_cr.index > 31) )
+        if ( unlikely(mop->u.mov_to_cr.index >=
+                      ARRAY_SIZE(ad->monitor.write_ctrlreg_mask)) )
             return -EINVAL;
 
         if ( unlikely(mop->u.mov_to_cr.pad1 || mop->u.mov_to_cr.pad2) )