KVM: S390: fix potential array overrun in intercept handling kvm_handle_sie_intercept uses a jump table to get the intercept handler for a SIE intercept. Static code analysis revealed a potential problem: the intercept_funcs jump table was defined to contain (0x48 >> 2) entries, but we only checked for code > 0x48 which would cause an off-by-one array overflow if code == 0x48. Use the compiler and ARRAY_SIZE to automatically set the limits. Cc: stable@kernel.org Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

commit: 062d5e9b0d714f449b261bb522eadaaf6f00f438 [log] [tgz]
author: Christian Borntraeger <borntraeger@de.ibm.com> Thu Jan 21 12:19:07 2010 +0100
committer: Marcelo Tosatti <mtosatti@redhat.com> Mon Jan 25 12:26:39 2010 -0200
tree: cd0e9b7e7449a2b067614865998218fd4462e581
parent: b6a114d27273c37cd0107b0f49af208168498f05 [diff] [blame]
diff --git a/arch/s390/kvm/intercept.c b/arch/s390/kvm/intercept.c
index ba9d8a7..b400964 100644
--- a/arch/s390/kvm/intercept.c
+++ b/arch/s390/kvm/intercept.c

@@ -213,7 +213,7 @@
 	return rc2;
 }
 
-static const intercept_handler_t intercept_funcs[0x48 >> 2] = {
+static const intercept_handler_t intercept_funcs[] = {
 	[0x00 >> 2] = handle_noop,
 	[0x04 >> 2] = handle_instruction,
 	[0x08 >> 2] = handle_prog,
@@ -230,7 +230,7 @@
 	intercept_handler_t func;
 	u8 code = vcpu->arch.sie_block->icptcode;
 
-	if (code & 3 || code > 0x48)
+	if (code & 3 || (code >> 2) >= ARRAY_SIZE(intercept_funcs))
 		return -ENOTSUPP;
 	func = intercept_funcs[code >> 2];
 	if (func)
commit	062d5e9b0d714f449b261bb522eadaaf6f00f438	[log] [tgz]
author	Christian Borntraeger <borntraeger@de.ibm.com>	Thu Jan 21 12:19:07 2010 +0100
committer	Marcelo Tosatti <mtosatti@redhat.com>	Mon Jan 25 12:26:39 2010 -0200
tree	cd0e9b7e7449a2b067614865998218fd4462e581
parent	b6a114d27273c37cd0107b0f49af208168498f05 [diff] [blame]