From: Thomas Huth <thuth@linux.vnet.ibm.com>
Date: Mon, 13 Jan 2014 08:26:49 +0000 (+0100)
Subject: s390x/virtio-hcall: Add range check for hypervisor call
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=f2c55d1735175ab37ab9f69854460087112d2756;p=qemu.git

s390x/virtio-hcall: Add range check for hypervisor call

The handler for diag 500 did not check whether the requested function
was in the supported range, so illegal values could crash QEMU in the
worst case.

Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
CC: qemu-stable@nongnu.org
---

diff --git a/hw/s390x/s390-virtio-hcall.c b/hw/s390x/s390-virtio-hcall.c
index ee626493c6..0e328d806d 100644
--- a/hw/s390x/s390-virtio-hcall.c
+++ b/hw/s390x/s390-virtio-hcall.c
@@ -26,11 +26,14 @@ void s390_register_virtio_hypercall(uint64_t code, s390_virtio_fn fn)
 
 int s390_virtio_hypercall(CPUS390XState *env)
 {
-    s390_virtio_fn fn = s390_diag500_table[env->regs[1]];
+    s390_virtio_fn fn;
 
-    if (!fn) {
-        return -EINVAL;
+    if (env->regs[1] < MAX_DIAG_SUBCODES) {
+        fn = s390_diag500_table[env->regs[1]];
+        if (fn) {
+            return fn(&env->regs[2]);
+        }
     }
 
-    return fn(&env->regs[2]);
+    return -EINVAL;
 }