Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp2663243ybb;
        Sun, 5 Apr 2020 13:14:59 -0700 (PDT)
X-Google-Smtp-Source: APiQypJ7xqbq8Sop1VaWJym9VNUfVG+i22TKzuhq2I70qwQvtfKj4+zhEFhDb9mo0E7nYoI2jqsw
X-Received: by 2002:aca:7213:: with SMTP id p19mr10861961oic.159.1586117699370;
        Sun, 05 Apr 2020 13:14:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586117699; cv=none;
        d=google.com; s=arc-20160816;
        b=Ulrqdn92yw2iNMhUiH9Im/+NSm9bynJ/g6liO36jfZI0Lp5qDXKlpGaO7sbMm90bTr
         IJiJyXvvl1/4Y5QEJqxUpNIboIw/sIbT8i8x0CL8gdAmiMSusfYj23WPTVes0wPNJK2K
         nwsTe7z9f1X/UmHN2XF1UggTJCI1bsnAx5Y1NVSBl2McA8pnz5299H0HB7cOpOlv5BlY
         +R4D5D0qOtbXAn3+EXNxMYsObXQXASJsfykTXOohI+Iik4GIjAHVcyrTF6BkQkrM0IRv
         ymlod4CxxyPMhnCaXU+o9onQjwAnMX9NrW9OGTVARxxk9Sz3p00rYTM0FdNO0xTHEfmh
         i7sA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=ZecswmQzcKyJcaA1KVr1PgDOFuDkBa9m5xQm0CMlRfg=;
        b=N1pMNPbNgd877zwAMYs0iOZA7pjFjR65XAtFINjzMEseLlx/mASrnj3F6bxmffYVW4
         97NefLFpooKtsBC1qNYJxAhg+u5iGay+nwJ1cBMcEwwEzLih77TdW1LbNBYLZif3HBMX
         hm3QWpRH5bWhUDSwlHjJJue+77ivxCZhH2mmhqApu1r+GffsWdRGtEMyySIqPs0EGv92
         aLlf/Lp6I65MyZ107pml4L3YHPFeo4ZET0v4ZACqt+2D8zRuwxc5pJZMeegbbxOuTAon
         9BrUm7dMVPuMMBm3FpVrV31SL+Ihjw/z0hB2jAH57oFdcMvhCzWXxayzFb2ej/9nbiju
         KpxQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@daynix-com.20150623.gappssmtp.com header.s=20150623 header.b=jJyCDymm;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n82si6498451oih.195.2020.04.05.13.14.34;
        Sun, 05 Apr 2020 13:14:59 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@daynix-com.20150623.gappssmtp.com header.s=20150623 header.b=jJyCDymm;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727600AbgDEUNY (ORCPT <rfc822;yuvraaj@gmail.com> + 99 others);
        Sun, 5 Apr 2020 16:13:24 -0400
Received: from mail-lf1-f66.google.com ([209.85.167.66]:40110 "EHLO
        mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726887AbgDEUNY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 5 Apr 2020 16:13:24 -0400
Received: by mail-lf1-f66.google.com with SMTP id j17so10087028lfe.7
        for <linux-kernel@vger.kernel.org>; Sun, 05 Apr 2020 13:13:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=daynix-com.20150623.gappssmtp.com; s=20150623;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=ZecswmQzcKyJcaA1KVr1PgDOFuDkBa9m5xQm0CMlRfg=;
        b=jJyCDymm6a4Y4wyhQ19mQrdIHDOuRafStVA1S1Ig6u2VsstNNG+WN5ithcMu/UoDhe
         CJm6CNrO5du/C461KF08IoNM6ixV+wdPZH8150mM/yVeqUBK51IxAnWz7mKOY839n8aW
         d7cHEB5htx7FQ8+DMQOGIPAUPdAP2iIaT8fdrFL0ztPZz0GCoILB7X3WnENer2eAJskQ
         eeo1VWbmuMKB2MUvYRbouX1S5SlVWKrKQ6M6xDtskZYZDXj9EBjSi5jMaCUjXzgkBOze
         jU3zjVkxzmHp8gl2mo4gFFASzkAJPg2bF21TLTOydSfR8DchzsZcVw7KD93PqUSsu39Y
         78tQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=ZecswmQzcKyJcaA1KVr1PgDOFuDkBa9m5xQm0CMlRfg=;
        b=lvqpQLsD7CeJ+4XW4UGqdo+ZpknT/mJumbMrDmk3MvU8NS5dPBL6wMXTMWdwCBP10u
         V0XSEL0qwhcXQ3hM23Ir6Yu47K4dI6CNxDgGMuSx6b8BDcCKQuwDFieryaLKn+SHtEXi
         um0bO21fp/et0xHD2gn01epfEdiWqGMvg+hIuXB4Qwmov7MIBb0MfQ2u0uPeWHjFltgg
         m7jTx82Qk7jOAi2y454WslQ0SUVpz213QWI3rTaiInfLzDdOr/ECNr0A36LKZVUOc5on
         IvowRbz17UNhVC1keKXM/mcOFw5yZSm+fen/YIRuqA7N+43kIvOL2BIQLPCYBh0XYDin
         4lcw==
X-Gm-Message-State: AGi0Pub1QZ1xZTv6StS/I+4pIjoweybnYw1WiGIxO4nY6uzgUx9SFxe9
        44DkW6URIryYqYaItDv/mhzzTsmo5UnTdQ==
X-Received: by 2002:ac2:4143:: with SMTP id c3mr4585061lfi.131.1586117602906;
        Sun, 05 Apr 2020 13:13:22 -0700 (PDT)
Received: from navi.cosmonova.net.ua ([95.67.24.131])
        by smtp.gmail.com with ESMTPSA id m1sm5450815lfl.69.2020.04.05.13.13.21
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 05 Apr 2020 13:13:22 -0700 (PDT)
From:   andrew@daynix.com
To:     virtualization@lists.linux-foundation.org
Cc:     gregkh@linuxfoundation.org, jslaby@suse.com,
        linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org
Subject: [PATCH] Fix: buffer overflow during hvc_alloc().
Date:   Sun,  5 Apr 2020 23:40:24 +0300
Message-Id: <20200405204024.1007843-1-andrew@daynix.com>
X-Mailer: git-send-email 2.24.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Andrew Melnychenko <andrew@daynix.com>

If there is a lot(more then 16) of virtio-console devices
or virtio_console module is reloaded
- buffers 'vtermnos' and 'cons_ops' are overflowed.
In older kernels it overruns spinlock which leads to kernel freezing:
https://bugzilla.redhat.com/show_bug.cgi?id=1786239

Signed-off-by: Andrew Melnychenko <andrew@daynix.com>
---
 drivers/tty/hvc/hvc_console.c | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c
index 27284a2dcd2b..436cc51c92c3 100644
--- a/drivers/tty/hvc/hvc_console.c
+++ b/drivers/tty/hvc/hvc_console.c
@@ -302,10 +302,6 @@ int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops)
 	vtermnos[index] = vtermno;
 	cons_ops[index] = ops;
 
-	/* reserve all indices up to and including this index */
-	if (last_hvc < index)
-		last_hvc = index;
-
 	/* check if we need to re-register the kernel console */
 	hvc_check_console(index);
 
@@ -960,13 +956,22 @@ struct hvc_struct *hvc_alloc(uint32_t vtermno, int data,
 		    cons_ops[i] == hp->ops)
 			break;
 
-	/* no matching slot, just use a counter */
-	if (i >= MAX_NR_HVC_CONSOLES)
-		i = ++last_hvc;
+	if (i >= MAX_NR_HVC_CONSOLES) {
+
+		/* find 'empty' slot for console */
+		for (i = 0; i < MAX_NR_HVC_CONSOLES && vtermnos[i] != -1; i++) {
+		}
+
+		/* no matching slot, just use a counter */
+		if (i == MAX_NR_HVC_CONSOLES)
+			i = ++last_hvc + MAX_NR_HVC_CONSOLES;
+	}
 
 	hp->index = i;
-	cons_ops[i] = ops;
-	vtermnos[i] = vtermno;
+	if (i < MAX_NR_HVC_CONSOLES) {
+		cons_ops[i] = ops;
+		vtermnos[i] = vtermno;
+	}
 
 	list_add_tail(&(hp->next), &hvc_structs);
 	mutex_unlock(&hvc_structs_mutex);
-- 
2.24.1