Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp336828yba; Sat, 4 May 2019 03:30:29 -0700 (PDT) X-Google-Smtp-Source: APXvYqyGNDoAe9P7Etu1gtUv3noa70v/NpI6bDioQ+vxvteOU4fFj+qzO9ZX9fXOlEuVHyB9+h3L X-Received: by 2002:a62:2ec4:: with SMTP id u187mr1852776pfu.84.1556965829197; Sat, 04 May 2019 03:30:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556965829; cv=none; d=google.com; s=arc-20160816; b=IIRPbrB+yUnVIQ+b5mz08VCQHRUnGpczX4XzwoO5vN32ip/LiEGQHVagHPTkbLPb3w DxXfFskGHzaO38PCefiJRc8PCA0/MSbUtd2oSCeonMn0pOD4120J9paTBQlvjEjpaNmC SdaUxzoUZSGTNVk5WAazy92GBCDfk81KY+1+wNIW+H8SwwC60tlp/lpPgnYZ+tlDLo5I nRhTG0mDbRg+Xj9p27c3dCHyErvJuPTpKdGMN6Aonp0sSS22k7gSxGu2finLF5GAXVKm dVaEofqaZBencyxCabWOdMOI0uAMtsjUW6m8RFQyklAswW/WqxqAXI2nQRsxYbnl7oKd RSJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=gvc+cWfVJvDD8brzmMvwIOt9H+DdUdfaLrv0LBzNPh4=; b=pCuIdNBnmdXoHYCzV0l/06JyjnaKhycKCYO8LDQqyU7cpLv1GRsJH1IMPBwXVHL7/+ uGJygCr9J5LA/av8wVZrzrDcKY6lcSYwj2lud9bhtN5+Mq92pJFOoKCG2c06RoeNUQla gWMQKSVKelJ1XAn4Da44lHxKYwNeoijQnINcuBe44MPOXAM0z+QaT1OAkANzGWak8G+S SzFIBjEgHkHeT4J1a3Z94MQJGHoVRSV7tIuUP6FwdqZdmzUJXc8nbcBNZbKv7hY/4qWL SxOSFD+c7ioIG1zrXxqr5hwixZeif358owU3VrGIj07i4VWLgHGKYoB1H7guaR/pgVvH KWzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=CxvQoOHV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bf9si6406993plb.85.2019.05.04.03.30.13; Sat, 04 May 2019 03:30:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=CxvQoOHV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728239AbfEDK1j (ORCPT + 99 others); Sat, 4 May 2019 06:27:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:37948 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728216AbfEDK1g (ORCPT ); Sat, 4 May 2019 06:27:36 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 76C1D206BB; Sat, 4 May 2019 10:27:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1556965655; bh=UMev+lZc3kJYPt87W6yV1xwBsOFqBI/QZFZneOhUx60=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CxvQoOHVWVL/g/71qirnHuAHzLADWEMSQLGgXulmZbM+DiI0oD/nCF1hETptUfwYK ZPOQIMwh34wwK/K/eLKxjnJKDZ4NFOsEOmW7h5fSs8dkJTziHfOzhD3CZoHBcswUoP B92GYhGFXTe1LPN3H5TiXpP5I7dNBOxTKINRewsY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Felix Wilhelm , Jim Mattson , Drew Schmitt , Marc Orr , Peter Shier , Krish Sadhukhan , stable@ver.kernel.org, Paolo Bonzini Subject: [PATCH 4.19 21/23] KVM: nVMX: Fix size checks in vmx_set_nested_state Date: Sat, 4 May 2019 12:25:23 +0200 Message-Id: <20190504102452.211689266@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190504102451.512405835@linuxfoundation.org> References: <20190504102451.512405835@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jim Mattson commit e8ab8d24b488632d07ce5ddb261f1d454114415b upstream. The size checks in vmx_nested_state are wrong because the calculations are made based on the size of a pointer to a struct kvm_nested_state rather than the size of a struct kvm_nested_state. Reported-by: Felix Wilhelm Signed-off-by: Jim Mattson Reviewed-by: Drew Schmitt Reviewed-by: Marc Orr Reviewed-by: Peter Shier Reviewed-by: Krish Sadhukhan Fixes: 8fcc4b5923af5de58b80b53a069453b135693304 Cc: stable@ver.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/vmx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -14236,7 +14236,7 @@ static int vmx_set_nested_state(struct k return ret; /* Empty 'VMXON' state is permitted */ - if (kvm_state->size < sizeof(kvm_state) + sizeof(*vmcs12)) + if (kvm_state->size < sizeof(*kvm_state) + sizeof(*vmcs12)) return 0; if (kvm_state->vmx.vmcs_pa == kvm_state->vmx.vmxon_pa || @@ -14269,7 +14269,7 @@ static int vmx_set_nested_state(struct k if (nested_cpu_has_shadow_vmcs(vmcs12) && vmcs12->vmcs_link_pointer != -1ull) { struct vmcs12 *shadow_vmcs12 = get_shadow_vmcs12(vcpu); - if (kvm_state->size < sizeof(kvm_state) + 2 * sizeof(*vmcs12)) + if (kvm_state->size < sizeof(*kvm_state) + 2 * sizeof(*vmcs12)) return -EINVAL; if (copy_from_user(shadow_vmcs12,