vdpasim: Off by one in vdpasim_set_group_asid()

The > comparison needs to be >= to prevent an out of bounds access of the vdpasim->iommu[] array. The vdpasim->iommu[] is allocated in vdpasim_create() and it has vdpasim->dev_attr.nas elements. Fixes: 87e5afeac247 ("vdpasim: control virtqueue support") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Message-Id: <YotGQU1q224RKZR8@kili> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com>

vdpasim: Off by one in vdpasim_set_group_asid()
The > comparison needs to be >= to prevent an out of bounds access of the vdpasim->iommu[] array. The vdpasim->iommu[] is allocated in vdpasim_create() and it has vdpasim->dev_attr.nas elements. Fixes: 87e5afeac247 ("vdpasim: control virtqueue support") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Message-Id: <YotGQU1q224RKZR8@kili> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com>
1f97b978 · Dan Carpenter · Michael S. Tsirkin · 4f58afd6 · 1f97b978
Commit 1f97b978 authored May 23, 2022 by Dan Carpenter Committed by Michael S. Tsirkin May 31, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

drivers/vdpa/vdpa_sim/vdpa_sim.c drivers/vdpa/vdpa_sim/vdpa_sim.c +1 -1

No files found.
--- a/drivers/vdpa/vdpa_sim/vdpa_sim.c
+++ b/drivers/vdpa/vdpa_sim/vdpa_sim.c
@@ -567,7 +567,7 @@ static int vdpasim_set_group_asid(struct vdpa_device *vdpa, unsigned int group,
 	if (group > vdpasim->dev_attr.ngroups)
 		return -EINVAL;

-	if (asid > vdpasim->dev_attr.nas)
+	if (asid >= vdpasim->dev_attr.nas)
 		return -EINVAL;

 	iommu = &vdpasim->iommu[asid];