| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Nov 2021 01:38:02 +0100
From: "Maciej S. Szmigiero" <maciej.szmigiero@...cle.com>
To: Sean Christopherson <seanjc@...gle.com>
Cc: James Morse <james.morse@....com>,
Alexandru Elisei <alexandru.elisei@....com>,
Suzuki K Poulose <suzuki.poulose@....com>,
Atish Patra <atish.patra@....com>,
David Hildenbrand <david@...hat.com>,
Cornelia Huck <cohuck@...hat.com>,
Claudio Imbrenda <imbrenda@...ux.ibm.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Wanpeng Li <wanpengli@...cent.com>,
Jim Mattson <jmattson@...gle.com>,
Joerg Roedel <joro@...tes.org>,
linux-arm-kernel@...ts.infradead.org, kvmarm@...ts.cs.columbia.edu,
linux-mips@...r.kernel.org, kvm@...r.kernel.org,
kvm-ppc@...r.kernel.org, kvm-riscv@...ts.infradead.org,
linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org,
Ben Gardon <bgardon@...gle.com>, Marc Zyngier <maz@...nel.org>,
Huacai Chen <chenhuacai@...nel.org>,
Aleksandar Markovic <aleksandar.qemu.devel@...il.com>,
Paul Mackerras <paulus@...abs.org>,
Anup Patel <anup.patel@....com>,
Paul Walmsley <paul.walmsley@...ive.com>,
Palmer Dabbelt <palmer@...belt.com>,
Albert Ou <aou@...s.berkeley.edu>,
Christian Borntraeger <borntraeger@...ibm.com>,
Janosch Frank <frankja@...ux.ibm.com>,
Paolo Bonzini <pbonzini@...hat.com>
Subject: Re: [PATCH v5.5 02/30] KVM: Disallow user memslot with size that
exceeds "unsigned long"
On 04.11.2021 01:25, Sean Christopherson wrote:
> Reject userspace memslots whose size exceeds the storage capacity of an
> "unsigned long". KVM's uAPI takes the size as u64 to support large slots
> on 64-bit hosts, but does not account for the size being truncated on
> 32-bit hosts in various flows. The access_ok() check on the userspace
> virtual address in particular casts the size to "unsigned long" and will
> check the wrong number of bytes.
>
> KVM doesn't actually support slots whose size doesn't fit in an "unsigned
> long", e.g. KVM's internal kvm_memory_slot.npages is an "unsigned long",
> not a "u64", and misc arch specific code follows that behavior.
>
> Fixes: fa3d315a4ce2 ("KVM: Validate userspace_addr of memslot when registered")
> Cc: stable@...r.kernel.org
> Signed-off-by: Sean Christopherson <seanjc@...gle.com>
> ---
> virt/kvm/kvm_main.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index 99e69375c4c9..83287730389f 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -1689,7 +1689,8 @@ int __kvm_set_memory_region(struct kvm *kvm,
> id = (u16)mem->slot;
>
> /* General sanity checks */
> - if (mem->memory_size & (PAGE_SIZE - 1))
> + if ((mem->memory_size & (PAGE_SIZE - 1)) ||
> + (mem->memory_size != (unsigned long)mem->memory_size))
> return -EINVAL;
> if (mem->guest_phys_addr & (PAGE_SIZE - 1))
> return -EINVAL;
>
Reviewed-by: Maciej S. Szmigiero <maciej.szmigiero@...cle.com>
Powered by blists - more mailing lists