Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp270215imm; Tue, 28 Aug 2018 22:55:14 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZGWDikLbXKatf0FIIbrLxXEXfTxr834dnhmhYiSSKL/vGzjcmCVRLqpJNYamaVyVJULEHR X-Received: by 2002:a17:902:3a3:: with SMTP id d32-v6mr4537479pld.294.1535522114364; Tue, 28 Aug 2018 22:55:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535522114; cv=none; d=google.com; s=arc-20160816; b=w7CKaKHoBT6mEwFIB/Rlv16owXe/WjygWvYHcJn1+2kVdVBCGPgVfhNEvdAdZADvr0 xPXLWfyeFKg/98h9WEeuNc97oIHuaEy9rT+3wUZqiBDTVmP9wC3LzbK3fFRY+meLEvlD aJfjB1X973AlWBxSUMfIxmeBTsj6qwUnMlbIU5Yjz2lNM+ofg476Qq7uMhmCN6vv7DmN CC2pZ5RCP6B2AdTvWTfQSqLVSsizED+2ApW0FyG/pRXZWLYzAQ6jpGzm2iO0NXIqKhMJ xMBC3PnjVloivTMJukZNsiOpVIjXbgg3i7wRjZTWwMoAWEzs5tnNHFj7YpH1w6Gs7kbr OSZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=3FBBmYQo2gjQcj76Pad8AczJYBn60zPEEEVl8fB1c34=; b=dMifJM0z1TNxtO6XNdok9ruYCRuhG5THrrqoG8haXzj1VuNtMhNBIgwTBD58Tss7pj Kbw8x+pEg3n6uCLEuyfJzt/j6MkMTWPaC0vIJI0k112u/iFAWds5CzNGX4b2BJVOZCSM Z/ziJQ9wowykx+QXWvQu9qy5LrpOVh9qCN1N716/WbwnVSbpgzOPGrD0lf5pJcIMdcVK Yg6WJYZvd6NQ0ibvk0Hrwrr/p1c7m+09hYgcOevr1GEihk0kkG+kDRX6Z2XrlOWczE63 ud6kvyzXn+/LNWSeklUPCYtLPVgK09f0mGRUMkkB+oJbTbxfwyKTS5/G8vBCjSDGlDqE IiAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=hBUFRvNU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c9-v6si2998795pgj.654.2018.08.28.22.54.59; Tue, 28 Aug 2018 22:55:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=hBUFRvNU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727553AbeH2Jrl (ORCPT + 99 others); Wed, 29 Aug 2018 05:47:41 -0400 Received: from mail-pf1-f193.google.com ([209.85.210.193]:42448 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727233AbeH2Jrl (ORCPT ); Wed, 29 Aug 2018 05:47:41 -0400 Received: by mail-pf1-f193.google.com with SMTP id l9-v6so1767270pff.9; Tue, 28 Aug 2018 22:52:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=3FBBmYQo2gjQcj76Pad8AczJYBn60zPEEEVl8fB1c34=; b=hBUFRvNUKBNPdEarhavgQAwsRTkiwYHqWlvEV9ZVj8xRvFUjwMquGtwSqUf1FXhsog J6Q+zgr40exOe4uYGgUBbRaGdvcDboQIfGVE14UMH1QWOWyp+LbIJkN9OauNeVOQ4mfe Xx0mhRS5+XU/WLlje66kdjKsGy2gwrZBIRmBhbeJLdPBhR8W9XdezBhpl+VDukHBkPfo LQdY4X+QOPWIPlHpLeWu+hyVeUS0aBhEqFoNVoKuSbXVfSndLjwuPPrXVqVsjM6YA6Ub vL646Ac2vn9gmMzey+wBsStSN3pwgl7MsPSbB4aW7ntDN+0Lyt4py/SogdDRJ+RF5x0c qjRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=3FBBmYQo2gjQcj76Pad8AczJYBn60zPEEEVl8fB1c34=; b=IFdpDkjXzMR96j6mPdgNy5lIRZ7EIFGnGf5/SKpyzzSebLnkP64bkmu2715uhkix7B 7DfjEIk6OT0fKYTN05kVgh3Lz1PhpRGAKiCl/41gts+72bfsbb60Ku5CYnHJWcZ/G+1g 5eKn3s6mUYQK0VtbZgIt73XlEMsYIVCDgvuaax0o4/e11rzHIM1H1unldNI/OIAYkXcx RGIJ/NDRPKmPg+I8gehrsA3eKO+0T0XPSfn0swlZpIwWp8Xc4ofXfN/RvfLF/5jEISY+ w+PMkOrvpcmFNF72d+IuH+NmHoA14X1Fzt0pLl+PmVjtZcABYvVuIz19mFIZBVoWIYx4 ZlkQ== X-Gm-Message-State: APzg51DIrQeuDMopkNnQ1WfuuJkKPdrE6vtVkrUDx3OYMfd/F5wP9A43 jX5t3/MfOF2zG4ecSreVmXd1X33b X-Received: by 2002:a63:d857:: with SMTP id k23-v6mr4383581pgj.106.1535521949222; Tue, 28 Aug 2018 22:52:29 -0700 (PDT) Received: from localhost.localdomain ([203.205.141.123]) by smtp.googlemail.com with ESMTPSA id b21-v6sm5762749pfe.148.2018.08.28.22.52.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 28 Aug 2018 22:52:28 -0700 (PDT) From: Wanpeng Li X-Google-Original-From: Wanpeng Li To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org Cc: Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , Liran Alon , Dan Carpenter Subject: [PATCH] KVM: LAPIC: Fix pv ipis out-of-bounds access Date: Wed, 29 Aug 2018 13:52:23 +0800 Message-Id: <1535521943-5547-1-git-send-email-wanpengli@tencent.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wanpeng Li Dan Carpenter reported that the untrusted data returns from kvm_register_read() results in the following static checker warning: arch/x86/kvm/lapic.c:576 kvm_pv_send_ipi() error: buffer underflow 'map->phys_map' 's32min-s32max' KVM guest can easily trigger this by executing the following assembly sequence in Ring0: mov $10, %rax mov $0xFFFFFFFF, %rbx mov $0xFFFFFFFF, %rdx mov $0, %rsi vmcall As this will cause KVM to execute the following code-path: vmx_handle_exit() -> handle_vmcall() -> kvm_emulate_hypercall() -> kvm_pv_send_ipi() which will reach out-of-bounds access. This patch fixes it by adding a check to kvm_pv_send_ipi() against map->max_apic_id and also checking whether or not map->phys_map[min + i] is NULL since the max_apic_id is set according to the max apic id, however, some phys_map maybe NULL when apic id is sparse, in addition, kvm also unconditionally set max_apic_id to 255 to reserve enough space for any xAPIC ID. Reported-by: Dan Carpenter Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Liran Alon Cc: Dan Carpenter Signed-off-by: Wanpeng Li --- arch/x86/kvm/lapic.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index 0cefba2..86e933c 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -571,18 +571,27 @@ int kvm_pv_send_ipi(struct kvm *kvm, unsigned long ipi_bitmap_low, rcu_read_lock(); map = rcu_dereference(kvm->arch.apic_map); + if (unlikely((s32)(map->max_apic_id - __fls(ipi_bitmap_low)) < min)) + goto out; /* Bits above cluster_size are masked in the caller. */ for_each_set_bit(i, &ipi_bitmap_low, BITS_PER_LONG) { - vcpu = map->phys_map[min + i]->vcpu; - count += kvm_apic_set_irq(vcpu, &irq, NULL); + if (map->phys_map[min + i]) { + vcpu = map->phys_map[min + i]->vcpu; + count += kvm_apic_set_irq(vcpu, &irq, NULL); + } } min += cluster_size; + if (unlikely((s32)(map->max_apic_id - __fls(ipi_bitmap_high)) < min)) + goto out; for_each_set_bit(i, &ipi_bitmap_high, BITS_PER_LONG) { - vcpu = map->phys_map[min + i]->vcpu; - count += kvm_apic_set_irq(vcpu, &irq, NULL); + if (map->phys_map[min + i]) { + vcpu = map->phys_map[min + i]->vcpu; + count += kvm_apic_set_irq(vcpu, &irq, NULL); + } } +out: rcu_read_unlock(); return count; } -- 2.7.4