leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

kvm: nVMX: off by one in vmx_write_pml_buffer()

Browse Source 
There are PML_ENTITY_NUM elements in the pml_address[] array so the >
should be >= or we write beyond the end of the array when we do:

	pml_address[vmcs12->guest_pml_index--] = gpa;

Fixes: c5f983f6e8 ("nVMX: Implement emulated Page Modification Logging")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
This commit is contained in:
Dan Carpenter 2017-05-10 22:43:17 +03:00 committed by Radim Krčmář
parent 65acb891aa
commit 4769886baf
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
arch/x86/kvm/vmx.c
View File

@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
if (!nested_cpu_has_pml(vmcs12)) if (!nested_cpu_has_pml(vmcs12))
return 0; return 0;
if (vmcs12->guest_pml_index > PML_ENTITY_NUM) { if (vmcs12->guest_pml_index >= PML_ENTITY_NUM) {
vmx->nested.pml_full = true; vmx->nested.pml_full = true;
return 1; return 1;
} }