[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200408064059.8957-1-sean.j.christopherson@intel.com>
Date: Tue, 7 Apr 2020 23:40:57 -0700
From: Sean Christopherson <sean.j.christopherson@...el.com>
To: Christian Borntraeger <borntraeger@...ibm.com>,
Janosch Frank <frankja@...ux.ibm.com>,
Paolo Bonzini <pbonzini@...hat.com>
Cc: David Hildenbrand <david@...hat.com>,
Cornelia Huck <cohuck@...hat.com>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzbot+d889b59b2bb87d4047a2@...kaller.appspotmail.com
Subject: [PATCH 0/2] KVM: Fix out-of-bounds memslot access
Two fixes for what are effectively the same bug. The binary search used
for memslot lookup doesn't check the resolved index and can access memory
beyond the end of the memslot array.
I split the s390 specific change to a separate patch because it's subtly
different, and to simplify backporting. The KVM wide fix can be applied
to stable trees as is, but AFAICT the s390 change would need to be paired
with the !used_slots check from commit 774a964ef56 ("KVM: Fix out of range
accesses to memslots"). This is why I tagged only the KVM wide patch for
stable.
Sean Christopherson (2):
KVM: Check validity of resolved slot when searching memslots
KVM: s390: Return last valid slot if approx index is out-of-bounds
arch/s390/kvm/kvm-s390.c | 3 +++
include/linux/kvm_host.h | 2 +-
2 files changed, 4 insertions(+), 1 deletion(-)
--
2.24.1
Powered by blists - more mailing lists