Xen devel - Sep 2013 - [PATCH] x86/ioapic: Avoid trying to access the -1th ioapic.

Discovered by Coverity, CID 1055743

Depending on the contents of the mp_irqs/mp_ioapics from the MP table,
find_isa_irq_apic() might return -1, at which point calling
ioapic_read_entry() with it is bad.

In addition to bailing if pin is -1, bail if apic is -1.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
CC: Keir Fraser <keir@xen.org>
CC: Jan Beulich <JBeulich@suse.com>
---
 xen/arch/x86/io_apic.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/xen/arch/x86/io_apic.c b/xen/arch/x86/io_apic.c
index 048c61c..5512cd5 100644
--- a/xen/arch/x86/io_apic.c
+++ b/xen/arch/x86/io_apic.c
@@ -1828,7 +1828,7 @@ static void __init unlock_ExtINT_logic(void)
 
     pin = find_isa_irq_pin(8, mp_INT);
     apic = find_isa_irq_apic(8, mp_INT);
-    if (pin == -1)
+    if ( pin == -1 || apic == -1 )
         return;
 
     entry0 = ioapic_read_entry(apic, pin, 0);
-- 
1.7.10.4

On 09/09/2013 12:36, "Andrew Cooper" <andrew.cooper3@citrix.com>
wrote:
> Discovered by Coverity, CID 1055743
> 
> Depending on the contents of the mp_irqs/mp_ioapics from the MP table,
> find_isa_irq_apic() might return -1, at which point calling
> ioapic_read_entry() with it is bad.
> 
> In addition to bailing if pin is -1, bail if apic is -1.
> 
> Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
> CC: Keir Fraser <keir@xen.org>
> CC: Jan Beulich <JBeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
> ---
>  xen/arch/x86/io_apic.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/xen/arch/x86/io_apic.c b/xen/arch/x86/io_apic.c
> index 048c61c..5512cd5 100644
> --- a/xen/arch/x86/io_apic.c
> +++ b/xen/arch/x86/io_apic.c
> @@ -1828,7 +1828,7 @@ static void __init unlock_ExtINT_logic(void)
>  
>      pin = find_isa_irq_pin(8, mp_INT);
>      apic = find_isa_irq_apic(8, mp_INT);
> -    if (pin == -1)
> +    if ( pin == -1 || apic == -1 )
>          return;
>  
>      entry0 = ioapic_read_entry(apic, pin, 0);