mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	 81cdb259fb
			
		
	
	
		81cdb259fb
		
	
	
	
	
		
			
			KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be
bigger that the maximal number of VCPUs, resulting in out-of-bounds
access.
Found by syzkaller:
  BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr [...]
  Write of size 1 by task a.out/27101
  CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
   [...]
  Call Trace:
   [...] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905
   [...] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495
   [...] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86
   [...] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360
   [...] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222
   [...] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235
   [...] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670
   [...] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668
   [...] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999
   [...] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3099
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Fixes: af1bae5497 ("KVM: x86: bump KVM_MAX_VCPU_ID to 1023")
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
		
	
			
		
			
				
	
	
		
			142 lines
		
	
	
		
			3.4 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			142 lines
		
	
	
		
			3.4 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| #ifndef __KVM_IO_APIC_H
 | |
| #define __KVM_IO_APIC_H
 | |
| 
 | |
| #include <linux/kvm_host.h>
 | |
| 
 | |
| #include <kvm/iodev.h>
 | |
| 
 | |
| struct kvm;
 | |
| struct kvm_vcpu;
 | |
| 
 | |
| #define IOAPIC_NUM_PINS  KVM_IOAPIC_NUM_PINS
 | |
| #define MAX_NR_RESERVED_IOAPIC_PINS KVM_MAX_IRQ_ROUTES
 | |
| #define IOAPIC_VERSION_ID 0x11	/* IOAPIC version */
 | |
| #define IOAPIC_EDGE_TRIG  0
 | |
| #define IOAPIC_LEVEL_TRIG 1
 | |
| 
 | |
| #define IOAPIC_DEFAULT_BASE_ADDRESS  0xfec00000
 | |
| #define IOAPIC_MEM_LENGTH            0x100
 | |
| 
 | |
| /* Direct registers. */
 | |
| #define IOAPIC_REG_SELECT  0x00
 | |
| #define IOAPIC_REG_WINDOW  0x10
 | |
| 
 | |
| /* Indirect registers. */
 | |
| #define IOAPIC_REG_APIC_ID 0x00	/* x86 IOAPIC only */
 | |
| #define IOAPIC_REG_VERSION 0x01
 | |
| #define IOAPIC_REG_ARB_ID  0x02	/* x86 IOAPIC only */
 | |
| 
 | |
| /*ioapic delivery mode*/
 | |
| #define	IOAPIC_FIXED			0x0
 | |
| #define	IOAPIC_LOWEST_PRIORITY		0x1
 | |
| #define	IOAPIC_PMI			0x2
 | |
| #define	IOAPIC_NMI			0x4
 | |
| #define	IOAPIC_INIT			0x5
 | |
| #define	IOAPIC_EXTINT			0x7
 | |
| 
 | |
| #ifdef CONFIG_X86
 | |
| #define RTC_GSI 8
 | |
| #else
 | |
| #define RTC_GSI -1U
 | |
| #endif
 | |
| 
 | |
| struct dest_map {
 | |
| 	/* vcpu bitmap where IRQ has been sent */
 | |
| 	DECLARE_BITMAP(map, KVM_MAX_VCPU_ID);
 | |
| 
 | |
| 	/*
 | |
| 	 * Vector sent to a given vcpu, only valid when
 | |
| 	 * the vcpu's bit in map is set
 | |
| 	 */
 | |
| 	u8 vectors[KVM_MAX_VCPU_ID];
 | |
| };
 | |
| 
 | |
| 
 | |
| struct rtc_status {
 | |
| 	int pending_eoi;
 | |
| 	struct dest_map dest_map;
 | |
| };
 | |
| 
 | |
| union kvm_ioapic_redirect_entry {
 | |
| 	u64 bits;
 | |
| 	struct {
 | |
| 		u8 vector;
 | |
| 		u8 delivery_mode:3;
 | |
| 		u8 dest_mode:1;
 | |
| 		u8 delivery_status:1;
 | |
| 		u8 polarity:1;
 | |
| 		u8 remote_irr:1;
 | |
| 		u8 trig_mode:1;
 | |
| 		u8 mask:1;
 | |
| 		u8 reserve:7;
 | |
| 		u8 reserved[4];
 | |
| 		u8 dest_id;
 | |
| 	} fields;
 | |
| };
 | |
| 
 | |
| struct kvm_ioapic {
 | |
| 	u64 base_address;
 | |
| 	u32 ioregsel;
 | |
| 	u32 id;
 | |
| 	u32 irr;
 | |
| 	u32 pad;
 | |
| 	union kvm_ioapic_redirect_entry redirtbl[IOAPIC_NUM_PINS];
 | |
| 	unsigned long irq_states[IOAPIC_NUM_PINS];
 | |
| 	struct kvm_io_device dev;
 | |
| 	struct kvm *kvm;
 | |
| 	void (*ack_notifier)(void *opaque, int irq);
 | |
| 	spinlock_t lock;
 | |
| 	struct rtc_status rtc_status;
 | |
| 	struct delayed_work eoi_inject;
 | |
| 	u32 irq_eoi[IOAPIC_NUM_PINS];
 | |
| 	u32 irr_delivered;
 | |
| };
 | |
| 
 | |
| #ifdef DEBUG
 | |
| #define ASSERT(x)  							\
 | |
| do {									\
 | |
| 	if (!(x)) {							\
 | |
| 		printk(KERN_EMERG "assertion failed %s: %d: %s\n",	\
 | |
| 		       __FILE__, __LINE__, #x);				\
 | |
| 		BUG();							\
 | |
| 	}								\
 | |
| } while (0)
 | |
| #else
 | |
| #define ASSERT(x) do { } while (0)
 | |
| #endif
 | |
| 
 | |
| static inline struct kvm_ioapic *ioapic_irqchip(struct kvm *kvm)
 | |
| {
 | |
| 	return kvm->arch.vioapic;
 | |
| }
 | |
| 
 | |
| static inline int ioapic_in_kernel(struct kvm *kvm)
 | |
| {
 | |
| 	int ret;
 | |
| 
 | |
| 	ret = (ioapic_irqchip(kvm) != NULL);
 | |
| 	return ret;
 | |
| }
 | |
| 
 | |
| void kvm_rtc_eoi_tracking_restore_one(struct kvm_vcpu *vcpu);
 | |
| bool kvm_apic_match_dest(struct kvm_vcpu *vcpu, struct kvm_lapic *source,
 | |
| 		int short_hand, unsigned int dest, int dest_mode);
 | |
| int kvm_apic_compare_prio(struct kvm_vcpu *vcpu1, struct kvm_vcpu *vcpu2);
 | |
| void kvm_ioapic_update_eoi(struct kvm_vcpu *vcpu, int vector,
 | |
| 			int trigger_mode);
 | |
| int kvm_ioapic_init(struct kvm *kvm);
 | |
| void kvm_ioapic_destroy(struct kvm *kvm);
 | |
| int kvm_ioapic_set_irq(struct kvm_ioapic *ioapic, int irq, int irq_source_id,
 | |
| 		       int level, bool line_status);
 | |
| void kvm_ioapic_clear_all(struct kvm_ioapic *ioapic, int irq_source_id);
 | |
| int kvm_irq_delivery_to_apic(struct kvm *kvm, struct kvm_lapic *src,
 | |
| 			     struct kvm_lapic_irq *irq,
 | |
| 			     struct dest_map *dest_map);
 | |
| int kvm_get_ioapic(struct kvm *kvm, struct kvm_ioapic_state *state);
 | |
| int kvm_set_ioapic(struct kvm *kvm, struct kvm_ioapic_state *state);
 | |
| void kvm_ioapic_scan_entry(struct kvm_vcpu *vcpu,
 | |
| 			   ulong *ioapic_handled_vectors);
 | |
| void kvm_scan_ioapic_routes(struct kvm_vcpu *vcpu,
 | |
| 			    ulong *ioapic_handled_vectors);
 | |
| #endif
 |