torvalds/linux
torvalds/linux
2
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00
Code
10a5315b47
linux/arch/x86/kvm
History
Wanpeng Li bdf7ffc899 KVM: LAPIC: Fix pv ipis out-of-bounds access 
Dan Carpenter reported that the untrusted data returns from kvm_register_read()
results in the following static checker warning:
  arch/x86/kvm/lapic.c:576 kvm_pv_send_ipi()
  error: buffer underflow 'map->phys_map' 's32min-s32max'

KVM guest can easily trigger this by executing the following assembly sequence
in Ring0:

mov $10, %rax
mov $0xFFFFFFFF, %rbx
mov $0xFFFFFFFF, %rdx
mov $0, %rsi
vmcall

As this will cause KVM to execute the following code-path:
vmx_handle_exit() -> handle_vmcall() -> kvm_emulate_hypercall() -> kvm_pv_send_ipi()
which will reach out-of-bounds access.

This patch fixes it by adding a check to kvm_pv_send_ipi() against map->max_apic_id,
ignoring destinations that are not present and delivering the rest. We also check
whether or not map->phys_map[min + i] is NULL since the max_apic_id is set to the
max apic id, some phys_map maybe NULL when apic id is sparse, especially kvm
unconditionally set max_apic_id to 255 to reserve enough space for any xAPIC ID.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Liran Alon <liran.alon@oracle.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Liran Alon <liran.alon@oracle.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
[Add second "if (min > map->max_apic_id)" to complete the fix. -Radim]
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
2018-09-07 18:38:43 +02:00
..
cpuid.c KVM: X86: Implement "send IPI" hypercall 2018-08-06 17:59:20 +02:00
cpuid.h KVM/x86: Update the reverse_cpuid list to include CPUID_7_EDX 2018-02-03 23:06:51 +01:00
debugfs.c
emulate.c kvm: x86: Remove CR3_PCID_INVD flag 2018-08-06 17:59:02 +02:00
hyperv.c KVM: x86: ensure all MSRs can always be KVM_GET/SET_MSR'd 2018-08-06 17:32:01 +02:00
hyperv.h KVM: x86: ensure all MSRs can always be KVM_GET/SET_MSR'd 2018-08-06 17:32:01 +02:00
i8254.c
i8254.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
i8259.c
ioapic.c KVM: x86: ioapic: Preserve read-only values in the redirection table 2017-11-17 13:20:21 +01:00
ioapic.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
irq_comm.c
irq.c KVM: x86: Rename interrupt.pending to interrupt.injected 2018-03-28 22:47:06 +02:00
irq.h
Kconfig x86/kvm/Kconfig: Ensure CRYPTO_DEV_CCP_DD state at minimum matches KVM_AMD 2018-07-15 17:36:57 +02:00
kvm_cache_regs.h KVM: nVMX: Do not load EOI-exitmap while running L2 2018-03-21 14:16:44 +01:00
lapic.c KVM: LAPIC: Fix pv ipis out-of-bounds access 2018-09-07 18:38:43 +02:00
lapic.h kvm: vmx: Introduce lapic_mode enumeration 2018-05-14 18:14:25 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mmu_audit.c KVM: x86: MMU: make array audit_point_name static 2017-12-14 09:26:41 +01:00
mmu.c Fixes for KVM/ARM for Linux v4.19 v2: 2018-09-07 18:38:25 +02:00
mmu.h kvm: x86: Propagate guest PCIDs to host PCIDs 2018-08-06 17:58:56 +02:00
mmutrace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mtrr.c KVM: x86: generalize guest_cpuid_has_ helpers 2017-08-07 16:11:50 +02:00
page_track.c treewide: kvzalloc() -> kvcalloc() 2018-06-12 16:19:22 -07:00
paging_tmpl.h kvm: x86: Add a root_hpa parameter to kvm_mmu->invlpg() 2018-08-06 17:58:58 +02:00
pmu_amd.c KVM: x86: Add support for AMD Core Perf Extension in guest 2018-03-16 22:01:28 +01:00
pmu_intel.c
pmu.c KVM: x86: Add support for VMware backdoor Pseudo-PMCs 2018-03-16 22:02:01 +01:00
pmu.h KVM: x86: Add support for VMware backdoor Pseudo-PMCs 2018-03-16 22:02:01 +01:00
svm.c KVM: x86: Rename emulate_instruction() to kvm_emulate_instruction() 2018-08-30 16:20:44 +02:00
trace.h KVM: x86: hyperv: simplistic HVCALL_FLUSH_VIRTUAL_ADDRESS_{LIST,SPACE}_EX implementation 2018-05-26 15:35:35 +02:00
tss.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
vmx_evmcs.h x86/kvm: use Enlightened VMCS when running on Hyper-V 2018-03-28 22:47:06 +02:00
vmx_shadow_fields.h KVM: nVMX: track dirty state of non-shadowed VMCS fields 2018-01-16 16:50:13 +01:00
vmx.c KVM: nVMX: Fix loss of pending IRQ/NMI before entering L2 2018-09-07 18:38:42 +02:00
x86.c KVM: x86: Unexport x86_emulate_instruction() 2018-08-30 16:20:44 +02:00
x86.h KVM: x86: Unexport x86_emulate_instruction() 2018-08-30 16:20:44 +02:00