From: Thomas Huth <th...@linux.vnet.ibm.com>
The handler for diag 500 did not check whether the requested function
was in the supported range, so illegal values could crash QEMU in the
worst case.
Signed-off-by: Thomas Huth <th...@linux.vnet.ibm.com>
Reviewed-by: Cornelia Huck <cornelia.h...@de.ibm.com>
Signed-off-by: Christian Borntraeger <borntrae...@de.ibm.com>
CC: qemu-sta...@nongnu.org
(cherry picked from commit f2c55d1735175ab37ab9f69854460087112d2756)
Signed-off-by: Michael Roth <mdr...@linux.vnet.ibm.com>
---
hw/s390x/s390-virtio-hcall.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/hw/s390x/s390-virtio-hcall.c b/hw/s390x/s390-virtio-hcall.c
index ee62649..0e328d8 100644
--- a/hw/s390x/s390-virtio-hcall.c
+++ b/hw/s390x/s390-virtio-hcall.c
@@ -26,11 +26,14 @@ void s390_register_virtio_hypercall(uint64_t code,
s390_virtio_fn fn)
int s390_virtio_hypercall(CPUS390XState *env)
{
- s390_virtio_fn fn = s390_diag500_table[env->regs[1]];
+ s390_virtio_fn fn;
- if (!fn) {
- return -EINVAL;
+ if (env->regs[1] < MAX_DIAG_SUBCODES) {
+ fn = s390_diag500_table[env->regs[1]];
+ if (fn) {
+ return fn(&env->regs[2]);
+ }
}
- return fn(&env->regs[2]);
+ return -EINVAL;
}
--
1.9.1
