kvm: nVMX: off by one in vmx_write_pml_buffer()

Dan Carpenter · rkrcmar · commit 4769886baf39 · 2017-05-15T16:08:56.000+02:00
There are PML_ENTITY_NUM elements in the pml_address[] array so the > should be >= or we write beyond the end of the array when we do: pml_address[vmcs12->guest_pml_index--] = gpa; Fixes: c5f983f ("nVMX: Implement emulated Page Modification Logging") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
@@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
 		if (!nested_cpu_has_pml(vmcs12))
 			return 0;
 
-		if (vmcs12->guest_pml_index > PML_ENTITY_NUM) {
+		if (vmcs12->guest_pml_index >= PML_ENTITY_NUM) {
 			vmx->nested.pml_full = true;
 			return 1;
 		}

Original file line number	Diff line number	Diff line change
`@@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)`
`11213`	`11213`	`if (!nested_cpu_has_pml(vmcs12))`
`11214`	`11214`	`return 0;`
`11215`	`11215`
`11216`		`- if (vmcs12->guest_pml_index > PML_ENTITY_NUM) {`
	`11216`	`+ if (vmcs12->guest_pml_index >= PML_ENTITY_NUM) {`
`11217`	`11217`	`vmx->nested.pml_full = true;`
`11218`	`11218`	`return 1;`
`11219`	`11219`	`}`