On 18/12/2018 09:19, YueHaibing wrote: > Fix smatch warning: > > arch/x86/xen/enlighten_pv.c:649 get_trap_addr() error: > buffer overflow 'early_idt_handler_array' 32 <= 32 > > Fixes: 42b3a4cb5609 ("x86/xen: Support early interrupts in xen pv guests") > Signed-off-by: YueHaibing <yuehaib...@huawei.com> > --- > arch/x86/xen/enlighten_pv.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/xen/enlighten_pv.c b/arch/x86/xen/enlighten_pv.c > index 2f6787f..81f200d 100644 > --- a/arch/x86/xen/enlighten_pv.c > +++ b/arch/x86/xen/enlighten_pv.c > @@ -646,7 +646,7 @@ static bool __ref get_trap_addr(void **addr, unsigned int > ist) > > if (nr == ARRAY_SIZE(trap_array) && > *addr >= (void *)early_idt_handler_array[0] && > - *addr < (void *)early_idt_handler_array[NUM_EXCEPTION_VECTORS]) { > + *addr < (void *)early_idt_handler_array[NUM_EXCEPTION_VECTORS - 1]) > { > nr = (*addr - (void *)early_idt_handler_array[0]) / > EARLY_IDT_HANDLER_SIZE; > *addr = (void *)xen_early_idt_handler_array[nr]; >
No, this patch is wrong. early_idt_handler_array is a 2-dimensional array: const char early_idt_handler_array[NUM_EXCEPTION_VECTORS][EARLY_IDT_HANDLER_SIZE]; So above code doesn't do an out of bounds array access, but checks for *addr being in the array or outside of it (note the "<" used for the test). Juergen _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel