Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp766900ybb; Wed, 8 Apr 2020 09:29:03 -0700 (PDT) X-Google-Smtp-Source: APiQypJqouynp17XLXKyKTT7GaQ8PjHODj8y/j5RFhrI+swk/KmU5/ze7DOuEBA46ED7iTmNN+bA X-Received: by 2002:aca:4e47:: with SMTP id c68mr3201308oib.16.1586363343269; Wed, 08 Apr 2020 09:29:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586363343; cv=none; d=google.com; s=arc-20160816; b=vEhofLJ3rKQGdZlkMBSfFGlHGwX3Kxl2Zg4y1mj0CMqsbHYF0eTtQG3FqLeN+kxvRt EGTZttcFyELmjwdieH+91N7puvieGhAH/8DXUMmHwraSkwZriSFAoVC5ps4Xt2TBnbjZ BF7eh4ifCEUm/KyQtq2QluABDWgz5dMYRZhgImkLmVx4080fCdAKOYs8amExS7U3YOSz BZJsxRQU7LxURJ5GYCfiIiiRHP+OD1ASZS/ddit9SgpBDD1RsJdLA0m1uSkdptNQzdHq frdgd20OUQSelodHpoa2ZrcAT1z5oB9PpytMuNTIo0lKEw5sCSaw92t4Foc1W27mywCY ASzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:ironport-sdr:ironport-sdr; bh=Op/Bsm+s869+i4xayBvhO0sf5RK+nR4juQrEB009Dcw=; b=YURBnJn3Z2cfq30PGKI2x7E1HwOnGp0EpPn4P0qm/d7+6OH9gYhF/XTlX9gp93FVcR O5dQrHvrtIkCEmEFIvmbg7X+e99p/u0l0PtNg4lSBw2AYox+0QBS9FoUNfDBbQGDCaI7 kTQHDcFVhlbkdepI4XN3DMv/nxflxGBBp+alckFlkwTmo8SBpBxyL5FWtynopwULANBZ WxwTjfqTqgDlHGlUdJIxpx4DcElacGBdc8quL69pcWHa/nhqtQmHOeFo5bRUMqPLz1rk SVVtQxvqpVobDhqActcpxf8vvCI+VgJLj7svCReqmBg7ZDa8Ww9eRUk2eH3PEvVuG3o0 k+UA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i22si413340ots.37.2020.04.08.09.28.49; Wed, 08 Apr 2020 09:29:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728652AbgDHOXE (ORCPT + 99 others); Wed, 8 Apr 2020 10:23:04 -0400 Received: from mga02.intel.com ([134.134.136.20]:54100 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727070AbgDHOXE (ORCPT ); Wed, 8 Apr 2020 10:23:04 -0400 IronPort-SDR: Q4sVnB1sQy9KaF9tayZOi3WKKRmPcXowFhyF41/+7sVrSdF0qTcx2Hjv1i6mBQi1Ku0puN409R BXNye8j/Tm/w== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Apr 2020 07:23:03 -0700 IronPort-SDR: Gb5W0BceH43BnnIx0UpCQ+0biYB59F70/Vo0XMDBC4kjsoGC5ieJuiRODEtezmcSZtiQ+dFyHR +S3krWP8JVXQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.72,358,1580803200"; d="scan'208";a="275457576" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.202]) by fmsmga004.fm.intel.com with ESMTP; 08 Apr 2020 07:23:03 -0700 Date: Wed, 8 Apr 2020 07:23:03 -0700 From: Sean Christopherson To: Cornelia Huck Cc: Christian Borntraeger , Janosch Frank , Paolo Bonzini , David Hildenbrand , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+d889b59b2bb87d4047a2@syzkaller.appspotmail.com Subject: Re: [PATCH 0/2] KVM: Fix out-of-bounds memslot access Message-ID: <20200408142302.GA10686@linux.intel.com> References: <20200408064059.8957-1-sean.j.christopherson@intel.com> <526247ac-4201-8b3d-0f15-d93b12a530b8@de.ibm.com> <20200408101004.09b1f56d.cohuck@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200408101004.09b1f56d.cohuck@redhat.com> User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 08, 2020 at 10:10:04AM +0200, Cornelia Huck wrote: > On Wed, 8 Apr 2020 09:24:27 +0200 > Christian Borntraeger wrote: > > > On 08.04.20 08:40, Sean Christopherson wrote: > > > Two fixes for what are effectively the same bug. The binary search used > > > for memslot lookup doesn't check the resolved index and can access memory > > > beyond the end of the memslot array. > > > > > > I split the s390 specific change to a separate patch because it's subtly > > > different, and to simplify backporting. The KVM wide fix can be applied > > > to stable trees as is, but AFAICT the s390 change would need to be paired > > > with the !used_slots check from commit 774a964ef56 ("KVM: Fix out of range > > > > I cannot find the commit id 774a964ef56 > > > > It's 0774a964ef561b7170d8d1b1bfe6f88002b6d219 in my tree. Argh, I botched the copy. Thanks for hunting it down!