34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
From: Avi Kivity <avi@redhat.com>
|
|
Date: Sun, 22 Apr 2012 17:02:11 +0300
|
|
Subject: [PATCH] KVM: Fix buffer overflow in kvm_set_irq()
|
|
|
|
commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed upstream.
|
|
|
|
kvm_set_irq() has an internal buffer of three irq routing entries, allowing
|
|
connecting a GSI to three IRQ chips or on MSI. However setup_routing_entry()
|
|
does not properly enforce this, allowing three irqchip routes followed by
|
|
an MSI route to overflow the buffer.
|
|
|
|
Fix by ensuring that an MSI entry is added to an empty list.
|
|
|
|
Signed-off-by: Avi Kivity <avi@redhat.com>
|
|
---
|
|
virt/kvm/irq_comm.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
|
|
index a6a0365..5afb431 100644
|
|
--- a/virt/kvm/irq_comm.c
|
|
+++ b/virt/kvm/irq_comm.c
|
|
@@ -332,6 +332,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt,
|
|
*/
|
|
hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link)
|
|
if (ei->type == KVM_IRQ_ROUTING_MSI ||
|
|
+ ue->type == KVM_IRQ_ROUTING_MSI ||
|
|
ue->u.irqchip.irqchip == ei->irqchip.irqchip)
|
|
return r;
|
|
|
|
--
|
|
1.7.10
|
|
|