path: root/virt/kvm/kvm_main.c
diff options
authorJim Mattson <jmattson@google.com>2018-12-14 14:34:43 -0800
committerPaolo Bonzini <pbonzini@redhat.com>2018-12-21 11:28:22 +0100
commit7a86dab8cf2f0fdf508f3555dddfc236623bff60 (patch)
treedb2444964b752655491d4a27e012f90d227f110f /virt/kvm/kvm_main.c
parentf1b9dd5eb86cec1fcf66aad17e7701d98d024a9a (diff)
kvm: Change offset in kvm_write_guest_offset_cached to unsigned
Since the offset is added directly to the hva from the gfn_to_hva_cache, a negative offset could result in an out of bounds write. The existing BUG_ON only checks for addresses beyond the end of the gfn_to_hva_cache, not for addresses before the start of the gfn_to_hva_cache. Note that all current call sites have non-negative offsets. Fixes: 4ec6e8636256 ("kvm: Introduce kvm_write_guest_offset_cached()") Reported-by: Cfir Cohen <cfir@google.com> Signed-off-by: Jim Mattson <jmattson@google.com> Reviewed-by: Cfir Cohen <cfir@google.com> Reviewed-by: Peter Shier <pshier@google.com> Reviewed-by: Krish Sadhukhan <krish.sadhukhan@oracle.com> Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Diffstat (limited to 'virt/kvm/kvm_main.c')
1 files changed, 2 insertions, 1 deletions
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 3be46841db06..f90ceab3840e 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -2043,7 +2043,8 @@ int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
int kvm_write_guest_offset_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
- void *data, int offset, unsigned long len)
+ void *data, unsigned int offset,
+ unsigned long len)
struct kvm_memslots *slots = kvm_memslots(kvm);
int r;