AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-20 14:27:36 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
bdf7ffc899
linux_dsm_epyc7002/arch/x86
History
Wanpeng Li bdf7ffc899 KVM: LAPIC: Fix pv ipis out-of-bounds access 
Dan Carpenter reported that the untrusted data returns from kvm_register_read()
results in the following static checker warning:
  arch/x86/kvm/lapic.c:576 kvm_pv_send_ipi()
  error: buffer underflow 'map->phys_map' 's32min-s32max'

KVM guest can easily trigger this by executing the following assembly sequence
in Ring0:

mov $10, %rax
mov $0xFFFFFFFF, %rbx
mov $0xFFFFFFFF, %rdx
mov $0, %rsi
vmcall

As this will cause KVM to execute the following code-path:
vmx_handle_exit() -> handle_vmcall() -> kvm_emulate_hypercall() -> kvm_pv_send_ipi()
which will reach out-of-bounds access.

This patch fixes it by adding a check to kvm_pv_send_ipi() against map->max_apic_id,
ignoring destinations that are not present and delivering the rest. We also check
whether or not map->phys_map[min + i] is NULL since the max_apic_id is set to the
max apic id, some phys_map maybe NULL when apic id is sparse, especially kvm
unconditionally set max_apic_id to 255 to reserve enough space for any xAPIC ID.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Liran Alon <liran.alon@oracle.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Liran Alon <liran.alon@oracle.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
[Add second "if (min > map->max_apic_id)" to complete the fix. -Radim]
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
2018-09-07 18:38:43 +02:00
..
boot Kbuild updates for v4.19 (2nd) 2018-08-25 13:40:38 -07:00
configs
crypto Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2018-08-29 13:38:39 -07:00
entry x86/vdso: Fix vDSO build if a retpoline is emitted 2018-08-20 18:04:41 +02:00
events x86/nmi: Fix NMI uaccess race against CR3 switching 2018-08-31 17:08:22 +02:00
hyperv x86/mm: Only use tlb_remove_table() for paravirt 2018-08-23 11:56:31 -07:00
ia32 syscalls/x86: auto-create compat_sys_*() prototypes 2018-04-02 20:16:18 +02:00
include KVM: LAPIC: Fix pv ipis out-of-bounds access 2018-09-07 18:38:43 +02:00
kernel x86/dumpstack: Don't dump kernel memory based on usermode RIP 2018-08-31 17:08:22 +02:00
kvm KVM: LAPIC: Fix pv ipis out-of-bounds access 2018-09-07 18:38:43 +02:00
lib x86/nmi: Fix NMI uaccess race against CR3 switching 2018-08-31 17:08:22 +02:00
math-emu
mm x86/pti: Fix section mismatch warning/error 2018-09-02 11:24:41 +02:00
net bpf, x32: Fix regression caused by commit 24dea04767 2018-07-26 02:51:12 +02:00
oprofile
pci PCI: Make early dump functionality generic 2018-06-29 20:06:07 -05:00
platform x86/efi: Load fixmap GDT in efi_call_phys_epilog() 2018-08-31 17:45:54 +02:00
power Power management updates for 4.19-rc1 2018-08-14 13:12:24 -07:00
purgatory kbuild: move bin2c back to scripts/ from scripts/basic/ 2018-07-18 01:18:05 +09:00
ras
realmode
tools x86/relocs: Add __end_rodata_aligned to S_REL 2018-08-09 20:42:07 +02:00
um Consolidation of Kconfig files by Christoph Hellwig. 2018-08-15 13:05:12 -07:00
video
xen xen: fixes for 4.19-rc2 2018-08-31 08:45:16 -07:00
.gitignore
Kbuild
Kconfig x86/Kconfig: Fix trivial typo 2018-08-27 10:29:14 +02:00
Kconfig.cpu Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2018-03-25 07:36:02 -10:00
Kconfig.debug Kconfig: consolidate the "Kernel hacking" menu 2018-08-02 08:06:48 +09:00
Makefile x86: Allow generating user-space headers without a compiler 2018-08-31 17:08:22 +02:00
Makefile_32.cpu
Makefile.um kbuild: rename LDFLAGS to KBUILD_LDFLAGS 2018-08-24 08:22:08 +09:00