lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 May 2022 09:57:04 -0700 From: Kees Cook <keescook@...omium.org> To: Paolo Bonzini <pbonzini@...hat.com> Cc: Kees Cook <keescook@...omium.org>, Sean Christopherson <seanjc@...gle.com>, Vitaly Kuznetsov <vkuznets@...hat.com>, Wanpeng Li <wanpengli@...cent.com>, Jim Mattson <jmattson@...gle.com>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>, kvm@...r.kernel.org, Joerg Roedel <joro@...tes.org>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: [PATCH] KVM: x86/emulator: Bounds check reg nr against reg array size GCC 12 sees that it might be possible for "nr" to be outside the _regs array. Add explicit bounds checking. In function 'reg_read', inlined from 'reg_rmw' at ../arch/x86/kvm/emulate.c:266:2: ../arch/x86/kvm/emulate.c:254:27: warning: array subscript 32 is above array bounds of 'long unsigned int[17]' [-Warray-bounds] 254 | return ctxt->_regs[nr]; | ~~~~~~~~~~~^~~~ In file included from ../arch/x86/kvm/emulate.c:23: ../arch/x86/kvm/kvm_emulate.h: In function 'reg_rmw': ../arch/x86/kvm/kvm_emulate.h:366:23: note: while referencing '_regs' 366 | unsigned long _regs[NR_VCPU_REGS]; | ^~~~~ Cc: Paolo Bonzini <pbonzini@...hat.com> Cc: Sean Christopherson <seanjc@...gle.com> Cc: Vitaly Kuznetsov <vkuznets@...hat.com> Cc: Wanpeng Li <wanpengli@...cent.com> Cc: Jim Mattson <jmattson@...gle.com> Cc: x86@...nel.org Cc: "H. Peter Anvin" <hpa@...or.com> Cc: kvm@...r.kernel.org Signed-off-by: Kees Cook <keescook@...omium.org> --- arch/x86/kvm/emulate.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index 89b11e7dca8a..fbcbc012a3ae 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -247,6 +247,8 @@ enum x86_transfer_type { static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr) { + if (WARN_ON(nr >= ARRAY_SIZE(ctxt->_regs))) + return 0; if (!(ctxt->regs_valid & (1 << nr))) { ctxt->regs_valid |= 1 << nr; ctxt->_regs[nr] = ctxt->ops->read_gpr(ctxt, nr); @@ -256,6 +258,8 @@ static ulong reg_read(struct x86_emulate_ctxt *ctxt, unsigned nr) static ulong *reg_write(struct x86_emulate_ctxt *ctxt, unsigned nr) { + if (WARN_ON(nr >= ARRAY_SIZE(ctxt->_regs))) + return 0; ctxt->regs_valid |= 1 << nr; ctxt->regs_dirty |= 1 << nr; return &ctxt->_regs[nr]; -- 2.32.0
Powered by blists - more mailing lists