KVM: selftests: Fix out-of-bounds reads in CPUID test's array lookups

sean-jc · bonzini · commit 773cca183440 · 2024-10-20T12:10:44.000-04:00
When looking for a "mangled", i.e. dynamic, CPUID entry, terminate the walk based on the number of array _entries_, not the size in bytes of the array. Iterating based on the total size of the array can result in false passes, e.g. if the random data beyond the array happens to match a CPUID entry's function and index. Fixes: fb18d05 ("selftest: kvm: x86: test KVM_GET_CPUID2 and guest visible CPUIDs against KVM_GET_SUPPORTED_CPUID") Signed-off-by: Sean Christopherson <seanjc@google.com> Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com> Message-ID: <20241003234337.273364-2-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
diff --git a/tools/testing/selftests/kvm/x86_64/cpuid_test.c b/tools/testing/selftests/kvm/x86_64/cpuid_test.c
@@ -60,7 +60,7 @@ static bool is_cpuid_mangled(const struct kvm_cpuid_entry2 *entrie)
 {
 	int i;
 
-	for (i = 0; i < sizeof(mangled_cpuids); i++) {
+	for (i = 0; i < ARRAY_SIZE(mangled_cpuids); i++) {
 		if (mangled_cpuids[i].function == entrie->function &&
 		    mangled_cpuids[i].index == entrie->index)
 			return true;

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ static bool is_cpuid_mangled(const struct kvm_cpuid_entry2 *entrie)`
`60`	`60`	`{`
`61`	`61`	`int i;`
`62`	`62`
`63`		`- for (i = 0; i < sizeof(mangled_cpuids); i++) {`
	`63`	`+ for (i = 0; i < ARRAY_SIZE(mangled_cpuids); i++) {`
`64`	`64`	`if (mangled_cpuids[i].function == entrie->function &&`
`65`	`65`	`mangled_cpuids[i].index == entrie->index)`
`66`	`66`	`return true;`