提交 4769886b 编写于 作者: D Dan Carpenter 提交者: Radim Krčmář

kvm: nVMX: off by one in vmx_write_pml_buffer()

There are PML_ENTITY_NUM elements in the pml_address[] array so the >
should be >= or we write beyond the end of the array when we do:

	pml_address[vmcs12->guest_pml_index--] = gpa;

Fixes: c5f983f6 ("nVMX: Implement emulated Page Modification Logging")
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NRadim Krčmář <rkrcmar@redhat.com>
上级 65acb891
...@@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu) ...@@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
if (!nested_cpu_has_pml(vmcs12)) if (!nested_cpu_has_pml(vmcs12))
return 0; return 0;
if (vmcs12->guest_pml_index > PML_ENTITY_NUM) { if (vmcs12->guest_pml_index >= PML_ENTITY_NUM) {
vmx->nested.pml_full = true; vmx->nested.pml_full = true;
return 1; return 1;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册