lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 8 Apr 2020 12:21:38 +0200 From: Claudio Imbrenda <imbrenda@...ux.ibm.com> To: Sean Christopherson <sean.j.christopherson@...el.com> Cc: Christian Borntraeger <borntraeger@...ibm.com>, Janosch Frank <frankja@...ux.ibm.com>, Paolo Bonzini <pbonzini@...hat.com>, David Hildenbrand <david@...hat.com>, Cornelia Huck <cohuck@...hat.com>, kvm@...r.kernel.org, linux-kernel@...r.kernel.org, syzbot+d889b59b2bb87d4047a2@...kaller.appspotmail.com Subject: Re: [PATCH 2/2] KVM: s390: Return last valid slot if approx index is out-of-bounds On Tue, 7 Apr 2020 23:40:59 -0700 Sean Christopherson <sean.j.christopherson@...el.com> wrote: > Return the index of the last valid slot from gfn_to_memslot_approx() > if its binary search loop yielded an out-of-bounds index. The index > can be out-of-bounds if the specified gfn is less than the base of the > lowest memslot (which is also the last valid memslot). > > Note, the sole caller, kvm_s390_get_cmma(), ensures used_slots is > non-zero. > > Fixes: afdad61615cc3 ("KVM: s390: Fix storage attributes migration > with memory slots") Signed-off-by: Sean Christopherson > <sean.j.christopherson@...el.com> --- > arch/s390/kvm/kvm-s390.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c > index 19a81024fe16..5dcf9ff12828 100644 > --- a/arch/s390/kvm/kvm-s390.c > +++ b/arch/s390/kvm/kvm-s390.c > @@ -1939,6 +1939,9 @@ static int gfn_to_memslot_approx(struct > kvm_memslots *slots, gfn_t gfn) start = slot + 1; > } > > + if (start >= slots->used_slots) > + return slots->used_slots - 1; > + > if (gfn >= memslots[start].base_gfn && > gfn < memslots[start].base_gfn + memslots[start].npages) > { atomic_set(&slots->lru_slot, start); on s390 memory always starts at 0; you can't even boot a system missing the first pages of physical memory, so this means this situation would never happen in practice. of course, a malicious userspace program could create an (unbootable) VM and trigger this bug, so the patch itself makes sense. Reviewed-by: Claudio Imbrenda <imbrenda@...ux.ibm.com>
Powered by blists - more mailing lists