On Wed, Nov 13, 2019 at 10:42:08PM +0530, P J P wrote:
> From: P J P <pjp@xxxxxxxxxxxxxxxxx>
>
> openpic_src_write sets interrupt level 'src->output' masked with
> ILR_INTTGT_MASK(=0xFF). It's then used to index 'dst->outputs_active'
> array. With NUM_INPUTS=3, it may lead to OOB array access.
>
> Reported-by: Reno Robert <renorobert@xxxxxxxxx>
> Signed-off-by: P J P <pjp@xxxxxxxxxxxxxxxxx>
> ---
> arch/powerpc/kvm/mpic.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/kvm/mpic.c b/arch/powerpc/kvm/mpic.c
> index fe312c160d97..a5ae884d3891 100644
> --- a/arch/powerpc/kvm/mpic.c
> +++ b/arch/powerpc/kvm/mpic.c
> @@ -103,7 +103,7 @@ static struct fsl_mpic_info fsl_mpic_42 = {
> #define ILR_INTTGT_INT 0x00
> #define ILR_INTTGT_CINT 0x01 /* critical */
> #define ILR_INTTGT_MCP 0x02 /* machine check */
> -#define NUM_OUTPUTS 3
> +#define NUM_OUTPUTS 0xff
I don't think this is the correct fix. This code is emulating
hardware which can drive up to three interrupt outputs per CPU, not
255. Instead we need either to prevent src->output from being set to
3 or greater, or else limit its value when it is used.
Paul.
