linux-kernel - arch/riscv/kvm/vcpu_pmu.c:40 kvm_riscv_vcpu_pmu_ctr_info() error: buffer overflow 'kvpmu->pmc' 64 <= 64

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <85162d82-9ca6-4912-99d3-01583f843fa9@kili.mountain>
Date:   Tue, 21 Mar 2023 07:28:09 +0300
From:   Dan Carpenter <error27@...il.com>
To:     oe-kbuild@...ts.linux.dev, Atish Patra <atishp@...osinc.com>
Cc:     lkp@...el.com, oe-kbuild-all@...ts.linux.dev,
        linux-kernel@...r.kernel.org, Anup Patel <anup@...infault.org>,
        Andrew Jones <ajones@...tanamicro.com>
Subject: arch/riscv/kvm/vcpu_pmu.c:40 kvm_riscv_vcpu_pmu_ctr_info() error:
 buffer overflow 'kvpmu->pmc' 64 <= 64

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
head:   17214b70a159c6547df9ae204a6275d983146f6b
commit: 8f0153ecd3bf184bc06afca25b737c707fa4d765 RISC-V: KVM: Add skeleton support for perf
config: riscv-randconfig-m031-20230319 (https://download.01.org/0day-ci/archive/20230321/202303210940.XYeKyGru-lkp@intel.com/config)
compiler: riscv32-linux-gcc (GCC) 12.1.0

If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@...el.com>
| Reported-by: Dan Carpenter <error27@...il.com>
| Link: https://lore.kernel.org/r/202303210940.XYeKyGru-lkp@intel.com/

smatch warnings:
arch/riscv/kvm/vcpu_pmu.c:40 kvm_riscv_vcpu_pmu_ctr_info() error: buffer overflow 'kvpmu->pmc' 64 <= 64

vim +40 arch/riscv/kvm/vcpu_pmu.c

8f0153ecd3bf184 Atish Patra 2023-02-07  30  int kvm_riscv_vcpu_pmu_ctr_info(struct kvm_vcpu *vcpu, unsigned long cidx,
8f0153ecd3bf184 Atish Patra 2023-02-07  31  				struct kvm_vcpu_sbi_return *retdata)
8f0153ecd3bf184 Atish Patra 2023-02-07  32  {
8f0153ecd3bf184 Atish Patra 2023-02-07  33  	struct kvm_pmu *kvpmu = vcpu_to_pmu(vcpu);
8f0153ecd3bf184 Atish Patra 2023-02-07  34  
8f0153ecd3bf184 Atish Patra 2023-02-07  35  	if (cidx > RISCV_KVM_MAX_COUNTERS || cidx == 1) {

Probably change > to >= RISCV_KVM_MAX_COUNTERS.  It's strange that 1 is
invalid.  I would have expected 0 to be invalid.  (I have not looked at
the context outside this email).

8f0153ecd3bf184 Atish Patra 2023-02-07  36  		retdata->err_val = SBI_ERR_INVALID_PARAM;
8f0153ecd3bf184 Atish Patra 2023-02-07  37  		return 0;
8f0153ecd3bf184 Atish Patra 2023-02-07  38  	}
8f0153ecd3bf184 Atish Patra 2023-02-07  39  
8f0153ecd3bf184 Atish Patra 2023-02-07 @40  	retdata->out_val = kvpmu->pmc[cidx].cinfo.value;
                                                                   ^^^^^^^^^^^^^^^^^

8f0153ecd3bf184 Atish Patra 2023-02-07  41  
8f0153ecd3bf184 Atish Patra 2023-02-07  42  	return 0;
8f0153ecd3bf184 Atish Patra 2023-02-07  43  }

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests