Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp311063ybb;
        Tue, 7 Apr 2020 23:41:58 -0700 (PDT)
X-Google-Smtp-Source: APiQypLMpZWzXy4S38A+wCD5QCeQeopKR2sG6gtniWmn0Yl7gtY30URSeC5ib4jqah9uoQogk8lq
X-Received: by 2002:aca:c415:: with SMTP id u21mr1332812oif.102.1586328117928;
        Tue, 07 Apr 2020 23:41:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586328117; cv=none;
        d=google.com; s=arc-20160816;
        b=E9doXmDmS9MNcRmT9LLzYiw90cfoTend4FExLBzxtGQ7TUncs8NAF/tnnPivYlRkG9
         Dnx35GJaKWpD32e94Rl13iTtRjLUOgABOhoNpAhOiV/lCgXNnnD9xDCwSRrTcn3Vfb5E
         acStCVxOxcXVmr0l2X65TGfFkiaUEpYfE3jHY9vqc4lsoF1VPwbn1LFfPfyscMu3lw/Q
         ZT0NqLYHUrCPm0LpLaTWXzVvOO/W19AdZnTrpl2aXWg8HxVF8reZAql956LVvzT2zAHc
         FW0fLD+Ed+lbD7mUpeMHkNTwjQM6AJNoLvLRiGpcb8X9Nny3MrpFpAJ6C91af6BG8vEH
         BI2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:ironport-sdr:ironport-sdr;
        bh=lH3L5Oy6mkQXpHOgNPMYDnTdy1Ave6uz+ZqdJMTPnTk=;
        b=soa8Ditj+Vn5LH3Nnk574arPYEz5Nm/CJQV/mCDICgJy59eyzJ9eujL2TkY1aT4lxV
         jmfYJ83OnMv18a4/XqvxCC+VNnr9m3QIxKP4w+A+tzYmOBonQ+iSBdQJJfBjhjpT3tWd
         +mEBrP22Dl2dnZ02o1CPn9c8V1VHiB5ueASHYSovymj5Bw4ng4AHfPaX9P4Z9fpylwxf
         e3dglwdsvsCOZCoodY7lTUkxzSjPjr5wCuGkrlHqju8kRBIt9cGuVyE2AMPSUfAaoB6j
         bnM7jI9hvmKHRuPaopYsztcUTWGKPNW0gO5oXntW1Z9qP0Kk0Nqk+VVkTQsuXyFWx8tx
         CJTw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d23si1619694oig.118.2020.04.07.23.41.42;
        Tue, 07 Apr 2020 23:41:57 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726638AbgDHGlC (ORCPT <rfc822;zjuysxie86@gmail.com>
        + 99 others); Wed, 8 Apr 2020 02:41:02 -0400
Received: from mga11.intel.com ([192.55.52.93]:58629 "EHLO mga11.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726584AbgDHGlB (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 8 Apr 2020 02:41:01 -0400
IronPort-SDR: O0vphgqvcSfvdwK8eA1NKUhh2SPd3BTkw2PHjiuFhA70O3PEFQ4GGtuV0DKFux5c9qjJAxcTDP
 96ol0kHH5MNw==
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga007.jf.intel.com ([10.7.209.58])
  by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Apr 2020 23:41:00 -0700
IronPort-SDR: 1usDcTI6wc8x5ZLUrsON3Wq0Th2N0cJsPE7Kky6Uud5b/JMvzdo9mo6V0nW2s1XVIEzRDCpwrt
 rgIPR+666OdA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.72,357,1580803200"; 
   d="scan'208";a="240207985"
Received: from sjchrist-coffee.jf.intel.com ([10.54.74.202])
  by orsmga007.jf.intel.com with ESMTP; 07 Apr 2020 23:40:59 -0700
From:   Sean Christopherson <sean.j.christopherson@intel.com>
To:     Christian Borntraeger <borntraeger@de.ibm.com>,
        Janosch Frank <frankja@linux.ibm.com>,
        Paolo Bonzini <pbonzini@redhat.com>
Cc:     David Hildenbrand <david@redhat.com>,
        Cornelia Huck <cohuck@redhat.com>, kvm@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        syzbot+d889b59b2bb87d4047a2@syzkaller.appspotmail.com
Subject: [PATCH 0/2] KVM: Fix out-of-bounds memslot access
Date:   Tue,  7 Apr 2020 23:40:57 -0700
Message-Id: <20200408064059.8957-1-sean.j.christopherson@intel.com>
X-Mailer: git-send-email 2.24.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Two fixes for what are effectively the same bug.  The binary search used
for memslot lookup doesn't check the resolved index and can access memory
beyond the end of the memslot array.

I split the s390 specific change to a separate patch because it's subtly
different, and to simplify backporting.  The KVM wide fix can be applied
to stable trees as is, but AFAICT the s390 change would need to be paired
with the !used_slots check from commit 774a964ef56 ("KVM: Fix out of range
accesses to memslots").  This is why I tagged only the KVM wide patch for
stable.

Sean Christopherson (2):
  KVM: Check validity of resolved slot when searching memslots
  KVM: s390: Return last valid slot if approx index is out-of-bounds

 arch/s390/kvm/kvm-s390.c | 3 +++
 include/linux/kvm_host.h | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

-- 
2.24.1