[PATCH] Drivers: hv: mshv: add bounds check on vp_index in mshv_intercept_isr()

Next message: Marc Zyngier: "Re: [PATCH] arm64: KVM: Initialize vGIC before preempt-disabled section in kvm_reset_vcpu()"
Previous message: Jason Gunthorpe: "[GIT PULL] Please pull FWCTL subsystem changes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Junrui Luo

Date: Thu Apr 16 2026 - 10:18:49 EST

mshv_intercept_isr() extracts vp_index from the hypervisor message
payload and uses it directly to index into pt_vp_array without
validation. handle_bitset_message() and handle_pair_message() already
validate vp_index against MSHV_MAX_VPS before array access.

A vp_index exceeding MSHV_MAX_VPS leads to an out-of-bounds read from
pt_vp_array.

Add the same MSHV_MAX_VPS bounds check for consistency with the other
message handlers.

Fixes: 621191d709b1 ("Drivers: hv: Introduce mshv_root module to expose /dev/mshv to VMMs")
Reported-by: Yuhao Jiang <danisjiang@xxxxxxxxx>
Signed-off-by: Junrui Luo <moonafterrain@xxxxxxxxxxx>
---
drivers/hv/mshv_synic.c | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/drivers/hv/mshv_synic.c b/drivers/hv/mshv_synic.c
index 43f1bcbbf2d3..5bceb8122981 100644
--- a/drivers/hv/mshv_synic.c
+++ b/drivers/hv/mshv_synic.c
@@ -384,6 +384,10 @@ mshv_intercept_isr(struct hv_message *msg)
*/
vp_index =
((struct hv_opaque_intercept_message *)msg->u.payload)->vp_index;
+ if (unlikely(vp_index >= MSHV_MAX_VPS)) {
+ pr_debug("VP index %u out of bounds\n", vp_index);
+ goto unlock_out;
+ }
vp = partition->pt_vp_array[vp_index];
if (unlikely(!vp)) {
pr_debug("failed to find VP %u\n", vp_index);

---
base-commit: 7aaa8047eafd0bd628065b15757d9b48c5f9c07d
change-id: 20260416-fixes-693196e52f93

Best regards,
--
Junrui Luo <moonafterrain@xxxxxxxxxxx>