Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3718273pxv; Mon, 26 Jul 2021 10:09:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxRorpvarPdxKlEO/1CmGRtv9Ub1dWt2MVhikhUgvnzYPu2KhhR23Q/qko5aAh4pXI1dhqS X-Received: by 2002:a5d:59ae:: with SMTP id p14mr20793471wrr.148.1627319350314; Mon, 26 Jul 2021 10:09:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627319350; cv=none; d=google.com; s=arc-20160816; b=vsxNTiTKfRz2J0uhq2ZHp561tuxreeHEOxeauVTfG6VNlsR1q1ikrQMi0FZMg8nnYl HUF73G5bT1BEpW2PiL+c3W3v9mKjsIN3H0RZqktWazDhdYe74Vu7AIbBoKtH2xsKsapD mozS9oSEiH4b6eM0nxfzGQ93SkTjRG2nplK0lY5oc+0yGWs/vUyscE6IpYd4nN6jKo31 Y6SMUxEbv5WLJD/u+dWtGLqSiMngYyNYZGPqeyOlQEjLUb7h4uuysn8vDpwEqRsoTDW3 4TdDgX9y1t4N6kVDhhLaTZzjFDJ0usD5MHsj3k76oQwiuMhvG1sCL0chA1N5NcHOHnp4 A6hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=G0/MxlvffyUSQdntXtwRfcOS6cPTymj1VuqO8wOiQdU=; b=D7YD2TnlMOfrCYaSD9OsNpblgXNKdwDo9BjMXc/ICFUklxBcDeIU6iN7DSqIAqPW0Q LISEN90DNG7240U1qFkYILYN9Hw4hmXJieTKQXYk2iauH/XkOradVcO8Kl1ZM5z27X8z /N6bOuRjcIfJcuuW58EcwvvB+BCTqKs1rOBPnS75MgHDBzuS5OjxwPhNaLXwv9BZnD17 9+KDRh6IuPFFs9BWyOLFDPUFnFCz7RyNHMCqgX0cac1byYciNqD7Av1XKiujNVKxNBsy hy+TL+6lLPrTPWq4Ap2O7ELbMww33OTTVF+fl1fmj2bi658mxHh4UglvbA+uJ8JCwH62 Z6AA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=dQFcsBuk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n8si355677wri.326.2021.07.26.10.08.42; Mon, 26 Jul 2021 10:09:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=dQFcsBuk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238521AbhGZPnT (ORCPT + 99 others); Mon, 26 Jul 2021 11:43:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:39796 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237926AbhGZPYZ (ORCPT ); Mon, 26 Jul 2021 11:24:25 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id CACF360240; Mon, 26 Jul 2021 16:04:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627315493; bh=JD7GtbckkQ883GLNGJ4pCOHmtJklLbCXoblQ/IaLTlI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dQFcsBukKJp+S0vEwKClwS9T+rOYUNmkGeRJu5DAl5JZCzEtMs2i23uJWHA1OjPHs xBbleLwngMW+fzjWm4JEMaLk3eVWaBWQpqq0ZVXXgCtRfnHexvgDvwuxXjYjxKMJW+ RtrbQKd4hJL9vRyhvNjKOl3attOPjWvNAfhEpMcw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexey Kardashevskiy , Nicholas Piggin , Michael Ellerman Subject: [PATCH 5.10 119/167] KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow Date: Mon, 26 Jul 2021 17:39:12 +0200 Message-Id: <20210726153843.393628770@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210726153839.371771838@linuxfoundation.org> References: <20210726153839.371771838@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nicholas Piggin commit f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a upstream. The kvmppc_rtas_hcall() sets the host rtas_args.rets pointer based on the rtas_args.nargs that was provided by the guest. That guest nargs value is not range checked, so the guest can cause the host rets pointer to be pointed outside the args array. The individual rtas function handlers check the nargs and nrets values to ensure they are correct, but if they are not, the handlers store a -3 (0xfffffffd) failure indication in rets[0] which corrupts host memory. Fix this by testing up front whether the guest supplied nargs and nret would exceed the array size, and fail the hcall directly without storing a failure indication to rets[0]. Also expand on a comment about why we kill the guest and try not to return errors directly if we have a valid rets[0] pointer. Fixes: 8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls") Cc: stable@vger.kernel.org # v3.10+ Reported-by: Alexey Kardashevskiy Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/kvm/book3s_rtas.c | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) --- a/arch/powerpc/kvm/book3s_rtas.c +++ b/arch/powerpc/kvm/book3s_rtas.c @@ -242,6 +242,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *v * value so we can restore it on the way out. */ orig_rets = args.rets; + if (be32_to_cpu(args.nargs) >= ARRAY_SIZE(args.args)) { + /* + * Don't overflow our args array: ensure there is room for + * at least rets[0] (even if the call specifies 0 nret). + * + * Each handler must then check for the correct nargs and nret + * values, but they may always return failure in rets[0]. + */ + rc = -EINVAL; + goto fail; + } args.rets = &args.args[be32_to_cpu(args.nargs)]; mutex_lock(&vcpu->kvm->arch.rtas_token_lock); @@ -269,9 +280,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *v fail: /* * We only get here if the guest has called RTAS with a bogus - * args pointer. That means we can't get to the args, and so we - * can't fail the RTAS call. So fail right out to userspace, - * which should kill the guest. + * args pointer or nargs/nret values that would overflow the + * array. That means we can't get to the args, and so we can't + * fail the RTAS call. So fail right out to userspace, which + * should kill the guest. + * + * SLOF should actually pass the hcall return value from the + * rtas handler call in r3, so enter_rtas could be modified to + * return a failure indication in r3 and we could return such + * errors to the guest rather than failing to host userspace. + * However old guests that don't test for failure could then + * continue silently after errors, so for now we won't do this. */ return rc; }