Skip to content

Commit 080e8d2

Browse files
bibo-maochenhuacai
bibo-mao
authored and
chenhuacai
committed
LoongArch: KVM: Avoid overflow with array index
The variable index is modified and reused as array index when modify register EIOINTC_ENABLE. There will be array index overflow problem. Cc: [email protected] Fixes: 3956a52 ("LoongArch: KVM: Add EIOINTC read and write functions") Signed-off-by: Bibo Mao <[email protected]> Signed-off-by: Huacai Chen <[email protected]>
1 parent a0137c9 commit 080e8d2

File tree

1 file changed

+7
-10
lines changed

1 file changed

+7
-10
lines changed

arch/loongarch/kvm/intc/eiointc.c

Lines changed: 7 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -436,17 +436,16 @@ static int loongarch_eiointc_writew(struct kvm_vcpu *vcpu,
436436
break;
437437
case EIOINTC_ENABLE_START ... EIOINTC_ENABLE_END:
438438
index = (offset - EIOINTC_ENABLE_START) >> 1;
439-
old_data = s->enable.reg_u32[index];
439+
old_data = s->enable.reg_u16[index];
440440
s->enable.reg_u16[index] = data;
441441
/*
442442
* 1: enable irq.
443443
* update irq when isr is set.
444444
*/
445445
data = s->enable.reg_u16[index] & ~old_data & s->isr.reg_u16[index];
446-
index = index << 1;
447446
for (i = 0; i < sizeof(data); i++) {
448447
u8 mask = (data >> (i * 8)) & 0xff;
449-
eiointc_enable_irq(vcpu, s, index + i, mask, 1);
448+
eiointc_enable_irq(vcpu, s, index * 2 + i, mask, 1);
450449
}
451450
/*
452451
* 0: disable irq.
@@ -455,7 +454,7 @@ static int loongarch_eiointc_writew(struct kvm_vcpu *vcpu,
455454
data = ~s->enable.reg_u16[index] & old_data & s->isr.reg_u16[index];
456455
for (i = 0; i < sizeof(data); i++) {
457456
u8 mask = (data >> (i * 8)) & 0xff;
458-
eiointc_enable_irq(vcpu, s, index, mask, 0);
457+
eiointc_enable_irq(vcpu, s, index * 2 + i, mask, 0);
459458
}
460459
break;
461460
case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END:
@@ -529,10 +528,9 @@ static int loongarch_eiointc_writel(struct kvm_vcpu *vcpu,
529528
* update irq when isr is set.
530529
*/
531530
data = s->enable.reg_u32[index] & ~old_data & s->isr.reg_u32[index];
532-
index = index << 2;
533531
for (i = 0; i < sizeof(data); i++) {
534532
u8 mask = (data >> (i * 8)) & 0xff;
535-
eiointc_enable_irq(vcpu, s, index + i, mask, 1);
533+
eiointc_enable_irq(vcpu, s, index * 4 + i, mask, 1);
536534
}
537535
/*
538536
* 0: disable irq.
@@ -541,7 +539,7 @@ static int loongarch_eiointc_writel(struct kvm_vcpu *vcpu,
541539
data = ~s->enable.reg_u32[index] & old_data & s->isr.reg_u32[index];
542540
for (i = 0; i < sizeof(data); i++) {
543541
u8 mask = (data >> (i * 8)) & 0xff;
544-
eiointc_enable_irq(vcpu, s, index, mask, 0);
542+
eiointc_enable_irq(vcpu, s, index * 4 + i, mask, 0);
545543
}
546544
break;
547545
case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END:
@@ -615,10 +613,9 @@ static int loongarch_eiointc_writeq(struct kvm_vcpu *vcpu,
615613
* update irq when isr is set.
616614
*/
617615
data = s->enable.reg_u64[index] & ~old_data & s->isr.reg_u64[index];
618-
index = index << 3;
619616
for (i = 0; i < sizeof(data); i++) {
620617
u8 mask = (data >> (i * 8)) & 0xff;
621-
eiointc_enable_irq(vcpu, s, index + i, mask, 1);
618+
eiointc_enable_irq(vcpu, s, index * 8 + i, mask, 1);
622619
}
623620
/*
624621
* 0: disable irq.
@@ -627,7 +624,7 @@ static int loongarch_eiointc_writeq(struct kvm_vcpu *vcpu,
627624
data = ~s->enable.reg_u64[index] & old_data & s->isr.reg_u64[index];
628625
for (i = 0; i < sizeof(data); i++) {
629626
u8 mask = (data >> (i * 8)) & 0xff;
630-
eiointc_enable_irq(vcpu, s, index, mask, 0);
627+
eiointc_enable_irq(vcpu, s, index * 8 + i, mask, 0);
631628
}
632629
break;
633630
case EIOINTC_BOUNCE_START ... EIOINTC_BOUNCE_END:

0 commit comments

Comments
 (0)