Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp372965imm;
        Wed, 29 Aug 2018 02:06:37 -0700 (PDT)
X-Google-Smtp-Source: ANB0Vdbl3L1NEc5OvwTbgIjQGaUGLI9B8957XOh7CbV5lzD8NjzfoTJhRBFVTG4aLuVHu78GKAi/
X-Received: by 2002:a62:401:: with SMTP id 1-v6mr5025625pfe.28.1535533597732;
        Wed, 29 Aug 2018 02:06:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535533597; cv=none;
        d=google.com; s=arc-20160816;
        b=c9XRSeJmRPhHbd4xPD5jSTkylfQzn6ydZZrDUnDWdTbnys14tfi0herUoeOtY8oxX7
         5cMmP+TKC8MR8Tz2z4uxtLHjCZg61xvrsziloGLnor+IdsK3/PdebkiwX7qoVLtwVJQn
         /XFksRjrhplMHobCAOSETgCVWnHi8oLKEyHb5FLZIcOPuWlXorPjML62J3XW7v56HrxA
         3lenCNYGLumauZS6eomQrG7TyHy1/w0UBmsco7ycE+IySHExLCj9jwd624Hgh4BYd8QD
         d3Sh0N0MhCnDSkfD6lsEwxxjquJAWVqpeYdGVENVHtKFrIVjhzMVvZoXdlBU8ms9wgwy
         zfBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version:dkim-signature:arc-authentication-results;
        bh=xVMpFbOYXC0tLMzZasy6N2jLDB/RJuziyDBSWNUzF58=;
        b=us2g0alxQ/V717ViRiYrnB5kjP1JA3dSv9bKuWAkdLxWXvxUCh24xdN6j4DjlV8UhW
         7I5srFP1BxKzS9L4I3N/FMn9ZFSjInhNxaYse7uDFQKuN9xq7A8678yER4tcAghw3nkw
         Z9UeRrV75gmzOVjGo4IuXXQNug6tuFtk+2eGGTlh5F1v08Ok4fR4GnZXAKDIZAXvqPOE
         cTibXTkVF8ELGrX4GgtSr8b5QmiJK+Lr4pYAGUEsmGDjeeMnhp3coP9+Q77t4uF1FvUt
         YPo3WuM8nZqyKaM0IdGoW0b2rGK37a0BUo4IV/1rCrCLpZ54RfyvySRApYaQKmaHeu8i
         Dmew==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b="Eko6Cau/";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k127-v6si3374795pga.407.2018.08.29.02.06.22;
        Wed, 29 Aug 2018 02:06:37 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b="Eko6Cau/";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727700AbeH2NBL (ORCPT <rfc822;xqjcool@gmail.com> + 99 others);
        Wed, 29 Aug 2018 09:01:11 -0400
Received: from userp2130.oracle.com ([156.151.31.86]:60326 "EHLO
        userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727172AbeH2NBK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Aug 2018 09:01:10 -0400
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1])
        by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w7T8x5Yu108146;
        Wed, 29 Aug 2018 09:05:11 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type :
 mime-version : subject : from : in-reply-to : date : cc :
 content-transfer-encoding : message-id : references : to;
 s=corp-2018-07-02; bh=xVMpFbOYXC0tLMzZasy6N2jLDB/RJuziyDBSWNUzF58=;
 b=Eko6Cau/nQSW74epCCiLdRNwMYSTiAquwYfvPRjKW3i9+RIR6/OfvHA1kZvGtXUyIDFT
 eop7LXzyFxsF8xNQZoBS+qMogiDNDOuPY/0qjP4+y+VPnNPSWVGSBlzSrkSxM38GsQFg
 FP8KTOS2dVzwYHySRGE5EhnSYvKZro43LJstyq3BJyxbJ7wIkLtOW/SKIz96VUr+nTB7
 jmLItAamI7IhQHVlEuwAfDt86Fo/TjOjipOdFt/fWHmU4Vmn2Z/R4sNMx+QeFzqWZVht
 oTaSVsiqX0H2YG/0uIes0Xs2MEvI2lGhq7m40LQ6xW15ubsDE9oHYxLpTLoTL5jjs9PZ 5w== 
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74])
        by userp2130.oracle.com with ESMTP id 2m2xhtrmpy-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 29 Aug 2018 09:05:11 +0000
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236])
        by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w7T95AQJ018221
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Wed, 29 Aug 2018 09:05:11 GMT
Received: from abhmp0019.oracle.com (abhmp0019.oracle.com [141.146.116.25])
        by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w7T95Aw8029599;
        Wed, 29 Aug 2018 09:05:10 GMT
Received: from lirans-mbp.ravello.local (/213.57.127.2)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Wed, 29 Aug 2018 02:05:10 -0700
Content-Type: text/plain;
        charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.1 \(3445.4.7\))
Subject: Re: [PATCH] KVM: LAPIC: Fix pv ipis out-of-bounds access
From:   Liran Alon <liran.alon@oracle.com>
In-Reply-To: <1535521943-5547-1-git-send-email-wanpengli@tencent.com>
Date:   Wed, 29 Aug 2018 12:05:06 +0300
Cc:     Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        kvm@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
        =?utf-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Dan Carpenter <dan.carpenter@oracle.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A523C29C-C3E8-4FEF-8620-96365F774582@oracle.com>
References: <1535521943-5547-1-git-send-email-wanpengli@tencent.com>
To:     Wanpeng Li <kernellwp@gmail.com>
X-Mailer: Apple Mail (2.3445.4.7)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8999 signatures=668708
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0
 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=882
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1807170000 definitions=main-1808290100
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



> On 29 Aug 2018, at 8:52, Wanpeng Li <kernellwp@gmail.com> wrote:
>=20
> From: Wanpeng Li <wanpengli@tencent.com>
>=20
> Dan Carpenter reported that the untrusted data returns from =
kvm_register_read()
> results in the following static checker warning:
>  arch/x86/kvm/lapic.c:576 kvm_pv_send_ipi()
>  error: buffer underflow 'map->phys_map' 's32min-s32max'
>=20
> KVM guest can easily trigger this by executing the following assembly =
sequence=20
> in Ring0:
>=20
> mov $10, %rax
> mov $0xFFFFFFFF, %rbx
> mov $0xFFFFFFFF, %rdx
> mov $0, %rsi
> vmcall
>=20
> As this will cause KVM to execute the following code-path:
> vmx_handle_exit() -> handle_vmcall() -> kvm_emulate_hypercall() -> =
kvm_pv_send_ipi()
> which will reach out-of-bounds access.
>=20
> This patch fixes it by adding a check to kvm_pv_send_ipi() against =
map->max_apic_id=20
> and also checking whether or not map->phys_map[min + i] is NULL since =
the max_apic_id=20
> is set according to the max apic id, however, some phys_map maybe NULL =
when apic id=20
> is sparse, in addition, kvm also unconditionally set max_apic_id to =
255 to reserve=20
> enough space for any xAPIC ID.
>=20
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Radim Kr=C4=8Dm=C3=A1=C5=99 <rkrcmar@redhat.com>
> Cc: Liran Alon <liran.alon@oracle.com>
> Cc: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
> ---
> arch/x86/kvm/lapic.c | 17 +++++++++++++----
> 1 file changed, 13 insertions(+), 4 deletions(-)
>=20
> diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
> index 0cefba2..86e933c 100644
> --- a/arch/x86/kvm/lapic.c
> +++ b/arch/x86/kvm/lapic.c
> @@ -571,18 +571,27 @@ int kvm_pv_send_ipi(struct kvm *kvm, unsigned =
long ipi_bitmap_low,
> 	rcu_read_lock();
> 	map =3D rcu_dereference(kvm->arch.apic_map);
>=20
> +	if (unlikely((s32)(map->max_apic_id - __fls(ipi_bitmap_low)) < =
min))
> +		goto out;

I personally think =E2=80=9Cif ((min + __fls(ipi_bitmap_low)) > =
map->max_apic_id)=E2=80=9D is more readable.
But that=E2=80=99s just a matter of taste :)

> 	/* Bits above cluster_size are masked in the caller.  */
> 	for_each_set_bit(i, &ipi_bitmap_low, BITS_PER_LONG) {
> -		vcpu =3D map->phys_map[min + i]->vcpu;
> -		count +=3D kvm_apic_set_irq(vcpu, &irq, NULL);
> +		if (map->phys_map[min + i]) {
> +			vcpu =3D map->phys_map[min + i]->vcpu;
> +			count +=3D kvm_apic_set_irq(vcpu, &irq, NULL);
> +		}
> 	}
>=20
> 	min +=3D cluster_size;
> +	if (unlikely((s32)(map->max_apic_id - __fls(ipi_bitmap_high)) < =
min))
> +		goto out;
> 	for_each_set_bit(i, &ipi_bitmap_high, BITS_PER_LONG) {
> -		vcpu =3D map->phys_map[min + i]->vcpu;
> -		count +=3D kvm_apic_set_irq(vcpu, &irq, NULL);
> +		if (map->phys_map[min + i]) {
> +			vcpu =3D map->phys_map[min + i]->vcpu;
> +			count +=3D kvm_apic_set_irq(vcpu, &irq, NULL);
> +		}
> 	}
>=20
> +out:
> 	rcu_read_unlock();
> 	return count;
> }
> --=20
> 2.7.4
>=20

Reviewed-By: Liran Alon <liran.alon@oracle.com>