s390x/virtio-hcall: Add range check for hypervisor call

The handler for diag 500 did not check whether the requested function was in the supported range, so illegal values could crash QEMU in the worst case. Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com> Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> CC: qemu-stable@nongnu.org (cherry picked from commit f2c55d1735175ab37ab9f69854460087112d2756) Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
author: Thomas Huth <thuth@linux.vnet.ibm.com> 2014-01-13 09:26:49 +0100
committer: Michael Roth <mdroth@linux.vnet.ibm.com> 2014-06-25 11:11:45 -0500
commit: 91ae1d30ec5b3b8826c2f9e3742e1d52f2fadb0b (patch)
tree: 6df1a4403c6b476a4c5a2bfd1408c20dab95fff4
parent: 0a77a92d74f98e4898cb54c945ada84768427851 (diff)
1 files changed, 7 insertions, 4 deletions
diff --git a/hw/s390x/s390-virtio-hcall.c b/hw/s390x/s390-virtio-hcall.c
index ee626493c6..0e328d806d 100644
--- a/hw/s390x/s390-virtio-hcall.c
+++ b/hw/s390x/s390-virtio-hcall.c
@@ -26,11 +26,14 @@ void s390_register_virtio_hypercall(uint64_t code, s390_virtio_fn fn)
 
 int s390_virtio_hypercall(CPUS390XState *env)
 {
-    s390_virtio_fn fn = s390_diag500_table[env->regs[1]];
+    s390_virtio_fn fn;
 
-    if (!fn) {
-        return -EINVAL;
+    if (env->regs[1] < MAX_DIAG_SUBCODES) {
+        fn = s390_diag500_table[env->regs[1]];
+        if (fn) {
+            return fn(&env->regs[2]);
+        }
     }
 
-    return fn(&env->regs[2]);
+    return -EINVAL;
 }
author	Thomas Huth <thuth@linux.vnet.ibm.com>	2014-01-13 09:26:49 +0100
committer	Michael Roth <mdroth@linux.vnet.ibm.com>	2014-06-25 11:11:45 -0500
commit	91ae1d30ec5b3b8826c2f9e3742e1d52f2fadb0b (patch)
tree	6df1a4403c6b476a4c5a2bfd1408c20dab95fff4
parent	0a77a92d74f98e4898cb54c945ada84768427851 (diff)