Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp527453imu; Wed, 2 Jan 2019 11:11:28 -0800 (PST) X-Google-Smtp-Source: AFSGD/VsqLsmFefG9mk94dcK1/bn8qIcY4CHACIgHdl2gTNl+HnDs1nuiR0Xkk6+fjiYMsqkCwQU X-Received: by 2002:a62:9683:: with SMTP id s3mr45333892pfk.60.1546456288551; Wed, 02 Jan 2019 11:11:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546456288; cv=none; d=google.com; s=arc-20160816; b=GMmOQ/en7P/wwUqbicOLH7tjT7YreusdIwHj+vsyul/Xo6HV5A2V6TjMM7hcnRvhZe jxAp0FuC5TePd6gPMtCmXV0JrfV4a6nH+EHifUmufE0kYQpX3sULItUnoX4O0K/yHmFY VwM2fiRKl8AmPqT6tSJfpcsW02rIP/gKxF1WuVQWTgIS70I+30x7N6AGr5uOBHZuAXw5 iRJVkRQWXVWV+STT9CFJ1LMdsFOkYrvW3Ix/bMa4K6UqO+BZO/BP+35XdHl0H6y0v5Cm 1WEX51TlrtzxMKIf05A99WFq91r/aHUR3XYpDRncQlAFWV8N+p7J9iv0+j8ipTAPXD70 /bYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=pGcTWdnCmvN66ZwQPNKvPT7pk8Vrg++8TkTmZWpUWe0=; b=tsi8UWeneFL43A40A+4jvKxGAJ7FG6kt/KDF9oaDyy6k0c/vq/ywil+CjfEWZKGf8E BZ/d6E2FDOHL201R/rmvV3fF44W5XYHLb6h9BWt+yh5D+lox4DN0u7AbYOhzGv0FqDM2 lAx5wcUaBZ3nRr7hJcme6CQNG6aQJg+YcoV3Yac9s4kT/InGq1mZnA94DLDIyb+Fk+gv NdfHu8D0Xc9I78QlqTZvzyEEwbLjbXaQPjGt5vRAjMBPODst3vImxGb1bh+7jMMbV9VX 4nQashgFoeKhDhLP11AUI3JnVAlKHMzIqTixa8fsF2NlbJFOmpz/6fsTGylk1gBKyhbK GI/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Rs6buJY3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m4si30207484pgk.399.2019.01.02.11.11.13; Wed, 02 Jan 2019 11:11:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Rs6buJY3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726149AbfABRaF (ORCPT + 99 others); Wed, 2 Jan 2019 12:30:05 -0500 Received: from mail-wm1-f65.google.com ([209.85.128.65]:33201 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725993AbfABR37 (ORCPT ); Wed, 2 Jan 2019 12:29:59 -0500 Received: by mail-wm1-f65.google.com with SMTP id r24so33196777wmh.0; Wed, 02 Jan 2019 09:29:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=pGcTWdnCmvN66ZwQPNKvPT7pk8Vrg++8TkTmZWpUWe0=; b=Rs6buJY3efYWnbYivxuxoonPpEir/nYLlJb8PUuF3aMcM4xKioFejft54RaBMEUz/q tUSzwXHxj03UDGheUldT15Iv/TN8a5JFpmAVtGDaYBN19wsNH+BUY+ZOAi2IlSMb+h2k wyNifw1ooVOt82oie1VKtwKl1h51PpLxH1y5ue+NEHx/nEFBzgqbE7Lw4S0pXlzUp82t /VGru9IsDNlYD6a6P+HB77fujTj9kZN/WXAdyLpY6IXNzcQUP2T3yPbPqCPst6hEzmXr Oc4jt3m8iwOu3CNNDM2FJckcEg8BRZQK2HOt+u2DFRSCA+o8EmkqnMlJxIr4QxFMfdHy VS8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=pGcTWdnCmvN66ZwQPNKvPT7pk8Vrg++8TkTmZWpUWe0=; b=XWm69DSa6TNhBMM1q1AvDGLvYh6VE+zK6qOmt9Jxp9FRSPL6UGE+Jc0No3aCD/Ra8u FcfX78WIntSTfMjpPkppFgMQwYOIDTrjKPeadJCyqmGaoZlXuUQvKYqYsb3s83gtTwVK 1CmxL7N39KNAT5bjXDfjsZxVDJZQJzNuUOBV1wwXTlAFDz5jVtS8aa9K+XgyF0cdLynX mP4QTxdKTqe6+RYQb4tcDtOkj45fazpEV49lp19VPTpc3akgbP5/GY9QF9Cbu8atZglW Q5qnValezbKrMISpq05oLaizfrzye2gUiOKp/oF2u69mCuVygOYeVwYd9XAN8kzZuNg8 IoDg== X-Gm-Message-State: AJcUukfc/Unny96wBgLMF3dpUR447H5hFuL8rO4yZ56TIStvFlVVmWkM pLgeLvCr86OQwVY7JbqiD7MxInn/ X-Received: by 2002:a1c:6243:: with SMTP id w64mr34933871wmb.153.1546450197149; Wed, 02 Jan 2019 09:29:57 -0800 (PST) Received: from localhost.localdomain ([185.175.214.210]) by smtp.gmail.com with ESMTPSA id m15sm38008200wrr.95.2019.01.02.09.29.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Jan 2019 09:29:56 -0800 (PST) From: Tomas Bortoli To: pbonzini@redhat.com, rkrcmar@redhat.com, kvm@vger.kernel.org Cc: linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, Tomas Bortoli Subject: [PATCH] KVM: validate userspace input in kvm_clear_dirty_log_protect() Date: Wed, 2 Jan 2019 18:29:37 +0100 Message-Id: <20190102172937.28741-1-tomasbortoli@gmail.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The function at issue does not fully validate the content of the structure pointed by the log parameter, though its content has just been copied from userspace and lacks validation. Fix that. Moreover, change the type of n to unsigned long as that is the type returned by kvm_dirty_bitmap_bytes(). Signed-off-by: Tomas Bortoli Reported-by: syzbot+028366e52c9ace67deb3@syzkaller.appspotmail.com --- Syzbot report: BUG: KASAN: slab-out-of-bounds in kvm_clear_dirty_log_protect+0x8cf/0x970 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1262 Read of size 8 at addr ffff88809e631290 by task syz-executor007/7635 CPU: 0 PID: 7635 Comm: syz-executor007 Not tainted 4.20.0+ #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1db/0x2d0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 kvm_clear_dirty_log_protect+0x8cf/0x970 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1262 kvm_vm_ioctl_clear_dirty_log+0xff/0x260 arch/x86/kvm/x86.c:4468 kvm_vm_ioctl+0xc19/0x1fe0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3127 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:509 [inline] do_vfs_ioctl+0x107b/0x17d0 fs/ioctl.c:696 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713 __do_sys_ioctl fs/ioctl.c:720 [inline] __se_sys_ioctl fs/ioctl.c:718 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x440b09 Code: 23 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00000000007dff68 EFLAGS: 00000217 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00000000004a28d8 RCX: 0000000000440b09 RDX: 0000000020000080 RSI: 00000000c018aec0 RDI: 0000000000000004 RBP: 00000000004a28d8 R08: 0000000120080522 R09: 0000000120080522 R10: 0000000120080522 R11: 0000000000000217 R12: 00000000004022a0 R13: 0000000000402330 R14: 0000000000000000 R15: 0000000000000000 virt/kvm/kvm_main.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 666d0155662d..360588aa54c5 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -1228,9 +1228,9 @@ int kvm_clear_dirty_log_protect(struct kvm *kvm, { struct kvm_memslots *slots; struct kvm_memory_slot *memslot; - int as_id, id, n; + int as_id, id; gfn_t offset; - unsigned long i; + unsigned long i, n; unsigned long *dirty_bitmap; unsigned long *dirty_bitmap_buffer; @@ -1250,6 +1250,10 @@ int kvm_clear_dirty_log_protect(struct kvm *kvm, return -ENOENT; n = kvm_dirty_bitmap_bytes(memslot); + + if (n << 3 < log->num_pages || log->first_page > log->num_pages) + return -EINVAL; + *flush = false; dirty_bitmap_buffer = kvm_second_dirty_bitmap(memslot); if (copy_from_user(dirty_bitmap_buffer, log->dirty_bitmap, n)) -- 2.11.0