| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20241023120111.3973-1-liujing@cmss.chinamobile.com>
Date: Wed, 23 Oct 2024 20:01:11 +0800
From: Liu Jing <liujing@...s.chinamobile.com>
To: mpe@...erman.id.au
Cc: npiggin@...il.com,
christophe.leroy@...roup.eu,
naveen@...nel.org,
maddy@...ux.ibm.com,
linuxppc-dev@...ts.ozlabs.org,
kvm@...r.kernel.org,
linux-kernel@...r.kernel.org,
Liu Jing <liujing@...s.chinamobile.com>
Subject: [PATCH] KVM: Array access out of bounds
In the kvmppc_mmu_book3s_64_xlate function,
r = be64_to_cpu(pteg[i+1]); i used is 16 after the last loop and adding 1 will cross the line.
Signed-off-by: Liu Jing <liujing@...s.chinamobile.com>
diff --git a/arch/powerpc/kvm/book3s_64_mmu.c b/arch/powerpc/kvm/book3s_64_mmu.c
index 61290282fd9e..75d2b284c4b4 100644
--- a/arch/powerpc/kvm/book3s_64_mmu.c
+++ b/arch/powerpc/kvm/book3s_64_mmu.c
@@ -284,11 +284,16 @@ static int kvmppc_mmu_book3s_64_xlate(struct kvm_vcpu *vcpu, gva_t eaddr,
second = true;
goto do_second;
}
+ if (i < 14) {
+ r = be64_to_cpu(pteg[i+1]);
+ pp = (r & HPTE_R_PP) | key;
+ if (r & HPTE_R_PP0)
+ pp |= 8;
+ } else {
+ dprintk("KVM: Index out of bounds!\n");
+ goto no_page_found;
+ }
- r = be64_to_cpu(pteg[i+1]);
- pp = (r & HPTE_R_PP) | key;
- if (r & HPTE_R_PP0)
- pp |= 8;
gpte->eaddr = eaddr;
gpte->vpage = kvmppc_mmu_book3s_64_ea_to_vp(vcpu, eaddr, data);
--
2.27.0
Powered by blists - more mailing lists