Hello, I have found a possible out of bounds reading in arch/powerpc/kvm/book3s_64_mmu.c (kvmppc_mmu_book3s_64_xlate function). pteg[] array could be accessed twice using the i variable after the for iteration. What happens is that in the last iteration the i index is incremented to 16, checked (i<16) then confirmed exiting the loop. 277 for (i=0; i<16; i+=2) { ... Later there are reading attempts to the pteg last elements, but using again the already incremented i (16). 303 v = be64_to_cpu(pteg[i]); /* pteg[16] */ 304 r = be64_to_cpu(pteg[i+1]); /* pteg[17] */ I really don't know if the for lace will somehow iterate until i is 16, anyway I think that the last readings must be using a defined max len/index or another more clear method. Eg. v = be64_to_cpu(pteg[PTEG_LEN - 2]); r = be64_to_cpu(pteg[PTEG_LEN - 1]); Or just. v = be64_to_cpu(pteg[14]); r = be64_to_cpu(pteg[15]); ---------------------------- I found in the same file a variable that is not used. 380 struct kvmppc_vcpu_book3s *vcpu_book3s; ... 387 vcpu_book3s = to_book3s(vcpu); ----------------------------- A question, the kvmppc_mmu_book3s_64_init function is accessed by unconventional way? Because I have not found any calling to it. If something that I wrote is correct please tell me if I could send the patch. -- Regards, Geyslan G. Bem hackingbits.com -- To unsubscribe from this list: send the line "unsubscribe kvm-ppc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html