diff options
Diffstat (limited to 'drivers/lguest/lguest_user.c')
-rw-r--r-- | drivers/lguest/lguest_user.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/drivers/lguest/lguest_user.c b/drivers/lguest/lguest_user.c index c4bfe5a2b6b..9f0a4432994 100644 --- a/drivers/lguest/lguest_user.c +++ b/drivers/lguest/lguest_user.c @@ -55,11 +55,19 @@ static int user_send_irq(struct lguest *lg, const unsigned long __user *input) static ssize_t read(struct file *file, char __user *user, size_t size,loff_t*o) { struct lguest *lg = file->private_data; + struct lg_cpu *cpu; + unsigned int cpu_id = *o; /* You must write LHREQ_INITIALIZE first! */ if (!lg) return -EINVAL; + /* Watch out for arbitrary vcpu indexes! */ + if (cpu_id >= lg->nr_cpus) + return -EINVAL; + + cpu = &lg->cpus[cpu_id]; + /* If you're not the task which owns the Guest, go away. */ if (current != lg->tsk) return -EPERM; @@ -85,7 +93,7 @@ static ssize_t read(struct file *file, char __user *user, size_t size,loff_t*o) lg->pending_notify = 0; /* Run the Guest until something interesting happens. */ - return run_guest(lg, (unsigned long __user *)user); + return run_guest(cpu, (unsigned long __user *)user); } static int lg_cpu_start(struct lg_cpu *cpu, unsigned id, unsigned long start_ip) @@ -147,7 +155,7 @@ static int initialize(struct file *file, const unsigned long __user *input) lg->pfn_limit = args[1]; /* This is the first cpu */ - err = cpu_start(&lg->cpus[0], 0, args[3]); + err = lg_cpu_start(&lg->cpus[0], 0, args[3]); if (err) goto release_guest; |