KVM: Fix buffer overflow in kvm_set_irq()

avikivity · rtg-canonical · commit 398cf08f6431 · 2012-09-07T07:40:59.000-06:00
CVE-2012-2137 BugLink: http://bugs.launchpad.net/bugs/1016298 kvm_set_irq() has an internal buffer of three irq routing entries, allowing connecting a GSI to three IRQ chips or on MSI. However setup_routing_entry() does not properly enforce this, allowing three irqchip routes followed by an MSI route to overflow the buffer. Fix by ensuring that an MSI entry is added to an empty list. Signed-off-by: Avi Kivity <avi@redhat.com> (cherry picked from commit f2ebd422f71cda9c791f76f85d2ca102ae34a1ed) Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com>
diff --git a/virt/kvm/irq_comm.c b/virt/kvm/irq_comm.c
@@ -300,6 +300,7 @@ static int setup_routing_entry(struct kvm_irq_routing_table *rt,
 	 */
 	hlist_for_each_entry(ei, n, &rt->map[ue->gsi], link)
 		if (ei->type == KVM_IRQ_ROUTING_MSI ||
+		    ue->type == KVM_IRQ_ROUTING_MSI ||
 		    ue->u.irqchip.irqchip == ei->irqchip.irqchip)
 			return r;
 
