[COMMIT master] KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID

Avi Kivity Mon, 05 Oct 2009 07:56:22 -0700

From: Avi Kivity <a...@redhat.com>

The number of entries is multiplied by the entry size, which can
overflow on 32-bit hosts.  Bound the entry count instead.


Reported-by: David Wagner <d...@cs.berkeley.edu>
Signed-off-by: Avi Kivity <a...@redhat.com>

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index ffccb5c..b2f4f13 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1593,6 +1593,8 @@ static int kvm_dev_ioctl_get_supported_cpuid(struct 
kvm_cpuid2 *cpuid,
 
        if (cpuid->nent < 1)
                goto out;
+       if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
+               cpuid->nent = KVM_MAX_CPUID_ENTRIES;
        r = -ENOMEM;
        cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) * cpuid->nent);
        if (!cpuid_entries)
--
To unsubscribe from this list: send the line "unsubscribe kvm-commits" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[COMMIT master] KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID

Reply via email to