lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20240625083348.2299-1-alexey.makhalov@broadcom.com>
Date: Tue, 25 Jun 2024 01:33:48 -0700
From: Alexey Makhalov <alexey.makhalov@...adcom.com>
To: linux-kernel@...r.kernel.org,
	virtualization@...ts.linux.dev,
	bp@...en8.de,
	hpa@...or.com,
	dave.hansen@...ux.intel.com,
	mingo@...hat.com,
	tglx@...utronix.de
Cc: x86@...nel.org,
	ajay.kaher@...adcom.com,
	bcm-kernel-feedback-list@...adcom.com,
	Alexey Makhalov <alexey.makhalov@...adcom.com>,
	Alex James <alex.james@...adcom.com>
Subject: [PATCH] x86/vmware: fix panic in vmware_hypercall_slow()

Caller of vmware_hypercall_slow() can pass NULL into *out1,
*out2,... *out5. It will lead to a NULL pointer dereference.

Check a pointer for NULL before assigning a value.

Fixes: 	666cbb562d05d ("x86/vmware: Introduce VMware hypercall API")
Co-developed-by: Alex James <alex.james@...adcom.com>
Signed-off-by: Alex James <alex.james@...adcom.com>
Signed-off-by: Alexey Makhalov <alexey.makhalov@...adcom.com>
---
 arch/x86/kernel/cpu/vmware.c | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/arch/x86/kernel/cpu/vmware.c b/arch/x86/kernel/cpu/vmware.c
index 55903563afd3..16da970499f2 100644
--- a/arch/x86/kernel/cpu/vmware.c
+++ b/arch/x86/kernel/cpu/vmware.c
@@ -72,13 +72,13 @@ unsigned long vmware_hypercall_slow(unsigned long cmd,
 				    u32 *out1, u32 *out2, u32 *out3,
 				    u32 *out4, u32 *out5)
 {
-	unsigned long out0;
+	unsigned long out0, rbx, rcx, rdx, rsi, rdi;
 
 	switch (vmware_hypercall_mode) {
 	case CPUID_VMWARE_FEATURES_ECX_VMCALL:
 		asm_inline volatile ("vmcall"
-				: "=a" (out0), "=b" (*out1), "=c" (*out2),
-				"=d" (*out3), "=S" (*out4), "=D" (*out5)
+				: "=a" (out0), "=b" (rbx), "=c" (rcx),
+				"=d" (rdx), "=S" (rsi), "=D" (rdi)
 				: "a" (VMWARE_HYPERVISOR_MAGIC),
 				"b" (in1),
 				"c" (cmd),
@@ -89,8 +89,8 @@ unsigned long vmware_hypercall_slow(unsigned long cmd,
 		break;
 	case CPUID_VMWARE_FEATURES_ECX_VMMCALL:
 		asm_inline volatile ("vmmcall"
-				: "=a" (out0), "=b" (*out1), "=c" (*out2),
-				"=d" (*out3), "=S" (*out4), "=D" (*out5)
+				: "=a" (out0), "=b" (rbx), "=c" (rcx),
+				"=d" (rdx), "=S" (rsi), "=D" (rdi)
 				: "a" (VMWARE_HYPERVISOR_MAGIC),
 				"b" (in1),
 				"c" (cmd),
@@ -101,8 +101,8 @@ unsigned long vmware_hypercall_slow(unsigned long cmd,
 		break;
 	default:
 		asm_inline volatile ("movw %[port], %%dx; inl (%%dx), %%eax"
-				: "=a" (out0), "=b" (*out1), "=c" (*out2),
-				"=d" (*out3), "=S" (*out4), "=D" (*out5)
+				: "=a" (out0), "=b" (rbx), "=c" (rcx),
+				"=d" (rdx), "=S" (rsi), "=D" (rdi)
 				: [port] "i" (VMWARE_HYPERVISOR_PORT),
 				"a" (VMWARE_HYPERVISOR_MAGIC),
 				"b" (in1),
@@ -113,6 +113,18 @@ unsigned long vmware_hypercall_slow(unsigned long cmd,
 				: "cc", "memory");
 		break;
 	}
+
+	if (out1)
+		*out1 = rbx;
+	if (out2)
+		*out2 = rcx;
+	if (out3)
+		*out3 = rdx;
+	if (out4)
+		*out4 = rsi;
+	if (out5)
+		*out5 = rdi;
+
 	return out0;
 }
 
-- 
2.39.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ