On Thu, 2011-11-24 at 08:09 -0200, Marcelo Tosatti wrote: > On Thu, Nov 17, 2011 at 12:18:44PM +0200, Sasha Levin wrote: > > If we pass just enough entries to KVM_GET_SUPPORTED_CPUID, we would still > > fail with -E2BIG due to wrong comparisons. > > > > Cc: Avi Kivity <avi@xxxxxxxxxx> > > Cc: Marcelo Tosatti <mtosatti@xxxxxxxxxx> > > Signed-off-by: Sasha Levin <levinsasha928@xxxxxxxxx> > > --- > > arch/x86/kvm/x86.c | 12 ++++++------ > > 1 files changed, 6 insertions(+), 6 deletions(-) > > > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > > index 9eff4af..460c49b 100644 > > --- a/arch/x86/kvm/x86.c > > +++ b/arch/x86/kvm/x86.c > > @@ -2664,7 +2664,7 @@ static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid, > > do_cpuid_ent(&cpuid_entries[nent], func, 0, > > &nent, cpuid->nent); > > r = -E2BIG; > > - if (nent >= cpuid->nent) > > + if (nent > cpuid->nent) > > goto out_free; > > "int nent" variable contains the index into the array. > "__u32 cpuid->nent", from userspace, contains the number > of entries in the array. > > So the ">=" comparison is necessary to avoid overwriting past the end of > the array. Right, only the last comparison should be changed to ">" because in that case It's ok if the nent (which points to the next entry) equals to cpuid->nent. > > The protocol goes like "try size x, if it fails with -E2BIG, increase x, > try again". Its awkward. We can set nent to be the amount of entries required like we do in the opposite case where we passed too many entries. -- Sasha. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
