Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752699AbbK2UOH (ORCPT ); Sun, 29 Nov 2015 15:14:07 -0500 Received: from mail-vk0-f43.google.com ([209.85.213.43]:33929 "EHLO mail-vk0-f43.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752268AbbK2UOF (ORCPT ); Sun, 29 Nov 2015 15:14:05 -0500 MIME-Version: 1.0 Date: Sun, 29 Nov 2015 17:14:03 -0300 Message-ID: Subject: [RFC] kvm - possible out of bounds From: =?UTF-8?Q?Geyslan_Greg=C3=B3rio_Bem?= To: Gleb Natapov , Paolo Bonzini , Alexander Graf , Benjamin Herrenschmidt , Paul Mackerras , Michael Ellerman , kvm@vger.kernel.org, kvm-ppc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, LKML Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1630 Lines: 56 Hello, I have found a possible out of bounds reading in arch/powerpc/kvm/book3s_64_mmu.c (kvmppc_mmu_book3s_64_xlate function). pteg[] array could be accessed twice using the i variable after the for iteration. What happens is that in the last iteration the i index is incremented to 16, checked (i<16) then confirmed exiting the loop. 277 for (i=0; i<16; i+=2) { ... Later there are reading attempts to the pteg last elements, but using again the already incremented i (16). 303 v = be64_to_cpu(pteg[i]); /* pteg[16] */ 304 r = be64_to_cpu(pteg[i+1]); /* pteg[17] */ I really don't know if the for lace will somehow iterate until i is 16, anyway I think that the last readings must be using a defined max len/index or another more clear method. Eg. v = be64_to_cpu(pteg[PTEG_LEN - 2]); r = be64_to_cpu(pteg[PTEG_LEN - 1]); Or just. v = be64_to_cpu(pteg[14]); r = be64_to_cpu(pteg[15]); ---------------------------- I found in the same file a variable that is not used. 380 struct kvmppc_vcpu_book3s *vcpu_book3s; ... 387 vcpu_book3s = to_book3s(vcpu); ----------------------------- A question, the kvmppc_mmu_book3s_64_init function is accessed by unconventional way? Because I have not found any calling to it. If something that I wrote is correct please tell me if I could send the patch. -- Regards, Geyslan G. Bem hackingbits.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/