fridtjof/qemu-cr16
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

hw/i386/kvm: fix PIRQ bounds check in xen_physdev_map_pirq()

Browse source 
Reject pirq == s->nr_pirqs in xen_physdev_map_pirq().

Fixes: aa98ee38a5 ("hw/xen: Implement emulated PIRQ hypercall support")
Fixes: CVE-2026-0665
Reported-by: DARKNAVY (@DarkNavyOrg) <vr@darknavy.com>
Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Vulnerability Report <vr@darknavy.com>
Link: https://lore.kernel.org/r/13FE03BE60EA78D6+20260109023548.4047-1-vr@darknavy.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(cherry picked from commit c7504ba2a560fd884557f6e5142f03b491aad0c7)
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
This commit is contained in:
Vulnerability Report 2026-01-09 10:35:48 +08:00 committed by Michael Tokarev
parent 11e286fb93
commit 058e1774d6
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hw/i386/kvm/xen_evtchn.c
View file

@ -1877,7 +1877,7 @@ int xen_physdev_map_pirq(struct physdev_map_pirq *map)
return pirq;
}
map->pirq = pirq;
} else if (pirq > s->nr_pirqs) {
} else if (pirq >= s->nr_pirqs) {
return -EINVAL;
} else {
/*