Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp270135imm; Tue, 28 Aug 2018 22:55:03 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYIv/Nix4ARsvLJp3X7W9UqWzrEsp1zmhFc9xmurztVSCY5PvYAmFtdyCHxBlq65g87AGqp X-Received: by 2002:a63:2a0b:: with SMTP id q11-v6mr4272878pgq.36.1535522103303; Tue, 28 Aug 2018 22:55:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535522103; cv=none; d=google.com; s=arc-20160816; b=vSMfgQf15dl4TnzfVw3i9k+p/i/vdIN+j2ioXO4dkFnpiGcoMdx332xEMi4ZQss8B/ hiCP96ZFAwnJBpmX2HwNPxWLwQbP7TSN7ZLYQjtQTviF+Usu/b0lEf/79KHLthtWJmvn JzkcTfhR7RhsOSV6ZbWIDDRyHdhH2gE3ixFNEMLixZ7HzOyFs1SeroH89F8QOCDaPUgT p1W0PHQ0A0UYzLXHm4LrRowFgeP+31Nt1cEIeP7DCWDzrnre9kRW4Y9DY3h9BouPy7RZ K30/4JIOs83+ypQ/iSi7TO48x1h9yXl6AGICu12g3BZ7BX1FYBc7qM5MKLcXnBBXZzS+ FZEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=3FBBmYQo2gjQcj76Pad8AczJYBn60zPEEEVl8fB1c34=; b=Dw0JyaM9KDAcCxu4a93rUAIUpwof0PIgsdAiv7cGmsvQVongkun0zDqVGbiG3591o6 UPV4fl1RIz8XC1twQn4DtWI/5Wd2OuBQamWrKv/qXTHG2l4jro7pp/TsCJy3fqGZTCpm 6yusgdzD/qfVaHVEYHVhOCWvdeKaqveXvo+LarA27MSm05EYlxr3euXp59LNlrnO4RWH pMGfdwJ5TbFXfq3+ErsGaqraH0zj5qGfmbHOrv4xYoYyv656PKYcMU3lxDsfYJNok5Lr dnpGb34pPpoDl+lI7SGnJ9MKPDMo3MfPIcQHMIwzjTpcvf9aW13K2sjT6fAc4K78upds zugw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ALJ14ftw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m5-v6si2984021pgt.361.2018.08.28.22.54.21; Tue, 28 Aug 2018 22:55:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ALJ14ftw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727156AbeH2Jqw (ORCPT + 99 others); Wed, 29 Aug 2018 05:46:52 -0400 Received: from mail-pf1-f193.google.com ([209.85.210.193]:44815 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726188AbeH2Jqv (ORCPT ); Wed, 29 Aug 2018 05:46:51 -0400 Received: by mail-pf1-f193.google.com with SMTP id k21-v6so1760253pff.11; Tue, 28 Aug 2018 22:51:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=3FBBmYQo2gjQcj76Pad8AczJYBn60zPEEEVl8fB1c34=; b=ALJ14ftwbmGhCu22DeN/tPbPi+neki/NhTGYkI1zhOIflcHHxYoMlbCAzvIPaMRSpL iw6Dgfey8jZKgYJOS78itAXHNL8KRiyipX3j7QwGi+h28T54wOgz7wMpWLRQPl6RLU0U R9lrk11v1fvIzsgCuQOjzqNuZasv95Jw2J+3ZdvDhWIA4ApUN3fvMTzCML2Q5coBy0mQ pttirqddpllQx0Lmqn4zpLlywk0UwuNSN7MSfgF+EokTa6ShVWfFCJFoIsgZXa/U/Pvx +nre5hDbQjXxNXs9sHjUazWPDJsVpLCN6IIdTu/xxwb4t7XSKW7veSllMwX0bWk/L65L rIZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=3FBBmYQo2gjQcj76Pad8AczJYBn60zPEEEVl8fB1c34=; b=lN8EgMNSJXtSFi5Oc+Q3EUP7RdYP2AEU/E3USl4PyWyoFLoU0rEV0SIYW2y/q82fcy QniElLvABGKXS3JoBuOekgDKe6VDHtA3Ux41Xtw2Vfcf+VN3Mrvpb5I4tlwPAAZ4XOeM UegLIlzp53WT09kdzrfJ8zTH2ICanMMkaGoKkpOari32Shutfysrx+zG/C6KtMmy3QtK 8bhq3fAaPACh5E2BBSP3oyoSDBvFk0PKPuebWCRcZrxXeHg3dxjYHAde09LybnrhV9RP p1+ZlHMQTFut8/Q5X2X2sIcwXJX2aU9YYMn6lzQPVWqbk/gbCQQ/yURLwZspiS0wMjy6 zKOg== X-Gm-Message-State: APzg51Dy2VnP4n+syKlNqMReIEsK7mVpqDM7KkbiiE5OJud7cToEuH4L dnXOOnc+JefXJKVzn2+46fASX46v X-Received: by 2002:a63:d002:: with SMTP id z2-v6mr4435704pgf.262.1535521900091; Tue, 28 Aug 2018 22:51:40 -0700 (PDT) Received: from localhost.localdomain ([203.205.141.123]) by smtp.googlemail.com with ESMTPSA id t15-v6sm5330630pfa.158.2018.08.28.22.51.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 28 Aug 2018 22:51:39 -0700 (PDT) From: Wanpeng Li X-Google-Original-From: Wanpeng Li To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , Liran Alon , Dan Carpenter Subject: [PATCH] KVM: LAPIC: Fix pv ipis out-of-bounds access Date: Wed, 29 Aug 2018 13:51:03 +0800 Message-Id: <1535521863-5310-1-git-send-email-wanpengli@tencent.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wanpeng Li Dan Carpenter reported that the untrusted data returns from kvm_register_read() results in the following static checker warning: arch/x86/kvm/lapic.c:576 kvm_pv_send_ipi() error: buffer underflow 'map->phys_map' 's32min-s32max' KVM guest can easily trigger this by executing the following assembly sequence in Ring0: mov $10, %rax mov $0xFFFFFFFF, %rbx mov $0xFFFFFFFF, %rdx mov $0, %rsi vmcall As this will cause KVM to execute the following code-path: vmx_handle_exit() -> handle_vmcall() -> kvm_emulate_hypercall() -> kvm_pv_send_ipi() which will reach out-of-bounds access. This patch fixes it by adding a check to kvm_pv_send_ipi() against map->max_apic_id and also checking whether or not map->phys_map[min + i] is NULL since the max_apic_id is set according to the max apic id, however, some phys_map maybe NULL when apic id is sparse, in addition, kvm also unconditionally set max_apic_id to 255 to reserve enough space for any xAPIC ID. Reported-by: Dan Carpenter Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Liran Alon Cc: Dan Carpenter Signed-off-by: Wanpeng Li --- arch/x86/kvm/lapic.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index 0cefba2..86e933c 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -571,18 +571,27 @@ int kvm_pv_send_ipi(struct kvm *kvm, unsigned long ipi_bitmap_low, rcu_read_lock(); map = rcu_dereference(kvm->arch.apic_map); + if (unlikely((s32)(map->max_apic_id - __fls(ipi_bitmap_low)) < min)) + goto out; /* Bits above cluster_size are masked in the caller. */ for_each_set_bit(i, &ipi_bitmap_low, BITS_PER_LONG) { - vcpu = map->phys_map[min + i]->vcpu; - count += kvm_apic_set_irq(vcpu, &irq, NULL); + if (map->phys_map[min + i]) { + vcpu = map->phys_map[min + i]->vcpu; + count += kvm_apic_set_irq(vcpu, &irq, NULL); + } } min += cluster_size; + if (unlikely((s32)(map->max_apic_id - __fls(ipi_bitmap_high)) < min)) + goto out; for_each_set_bit(i, &ipi_bitmap_high, BITS_PER_LONG) { - vcpu = map->phys_map[min + i]->vcpu; - count += kvm_apic_set_irq(vcpu, &irq, NULL); + if (map->phys_map[min + i]) { + vcpu = map->phys_map[min + i]->vcpu; + count += kvm_apic_set_irq(vcpu, &irq, NULL); + } } +out: rcu_read_unlock(); return count; } -- 2.7.4