On Thu, Nov 17, 2011 at 12:18:44PM +0200, Sasha Levin wrote: > If we pass just enough entries to KVM_GET_SUPPORTED_CPUID, we would still > fail with -E2BIG due to wrong comparisons. > > Cc: Avi Kivity <avi@xxxxxxxxxx> > Cc: Marcelo Tosatti <mtosatti@xxxxxxxxxx> > Signed-off-by: Sasha Levin <levinsasha928@xxxxxxxxx> > --- > arch/x86/kvm/x86.c | 12 ++++++------ > 1 files changed, 6 insertions(+), 6 deletions(-) > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index 9eff4af..460c49b 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -2664,7 +2664,7 @@ static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid, > do_cpuid_ent(&cpuid_entries[nent], func, 0, > &nent, cpuid->nent); > r = -E2BIG; > - if (nent >= cpuid->nent) > + if (nent > cpuid->nent) > goto out_free; "int nent" variable contains the index into the array. "__u32 cpuid->nent", from userspace, contains the number of entries in the array. So the ">=" comparison is necessary to avoid overwriting past the end of the array. The protocol goes like "try size x, if it fails with -E2BIG, increase x, try again". Its awkward. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
