On Thu, 16 Nov 2006 18:04:22 -0000
Avi Kivity <avi@xxxxxxxxxxxx> wrote:
+static int kvm_dev_ioctl_set_msrs(struct kvm *kvm, struct kvm_msrs *msrs)
+{
+ struct kvm_vcpu *vcpu;
+ struct kvm_msr_entry *entry, *entries;
+ int rc;
+ u32 size, num_entries, i;
+
+ if (msrs->vcpu < 0 || msrs->vcpu >= KVM_MAX_VCPUS)
+ return -EINVAL;
+
+ num_entries = ARRAY_SIZE(msrs_to_save);
+ if (msrs->nmsrs < num_entries) {
+ msrs->nmsrs = num_entries; /* inform actual size */
+ return -EINVAL;
+ }
+
+ vcpu = vcpu_load(kvm, msrs->vcpu);
+ if (!vcpu)
+ return -ENOENT;
+
+ size = msrs->nmsrs * sizeof(struct kvm_msr_entry);
+ rc = -E2BIG;
+ if (size > 4096)
+ goto out_vcpu;
Classic mutiplicative overflow bug.
Only msrs->nmsrs doesn't get used
again, so there is no bug here. Yet.
+ rc = -ENOMEM;
+ entries = vmalloc(size);
+ if (entries == NULL)
+ goto out_vcpu;
+
+ rc = -EFAULT;
+ if (copy_from_user(entries, msrs->entries, size))
+ goto out_free;
+
+ rc = -EINVAL;
+ for (i=0; i<num_entries; i++) {
+ entry = &entries[i];
+ if (set_msr(vcpu, entry->index, entry->data))
+ goto out_free;
+ }
+
+ rc = 0;
+out_free:
+ vfree(entries);
+
+out_vcpu:
+ vcpu_put(vcpu);
+
+ return rc;
+}
This function returns no indication of how many msrs it actually did set. Should it?