lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <cd69f611-6478-4df6-907e-433ac559a20a@redhat.com>
Date: Wed, 23 Oct 2024 14:58:34 +0200
From: Paolo Bonzini <pbonzini@...hat.com>
To: Liu Jing <liujing@...s.chinamobile.com>, mpe@...erman.id.au
Cc: npiggin@...il.com, christophe.leroy@...roup.eu, naveen@...nel.org,
 maddy@...ux.ibm.com, linuxppc-dev@...ts.ozlabs.org, kvm@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH] KVM: Array access out of bounds

On 10/23/24 14:01, Liu Jing wrote:
> In the kvmppc_mmu_book3s_64_xlate function,
> r = be64_to_cpu(pteg[i+1]); i used is 16 after the last loop and adding 1 will cross the line.
> 
> Signed-off-by: Liu Jing <liujing@...s.chinamobile.com>
> 
> diff --git a/arch/powerpc/kvm/book3s_64_mmu.c b/arch/powerpc/kvm/book3s_64_mmu.c
> index 61290282fd9e..75d2b284c4b4 100644
> --- a/arch/powerpc/kvm/book3s_64_mmu.c
> +++ b/arch/powerpc/kvm/book3s_64_mmu.c
> @@ -284,11 +284,16 @@ static int kvmppc_mmu_book3s_64_xlate(struct kvm_vcpu *vcpu, gva_t eaddr,
>   		second = true;
>   		goto do_second;
>   	}
> +	if (i < 14) {

This should be i <= 14 (not "<").  And in fact, if you get here you must 
have found == true, and therefore i is indeed <= 14.  The code right 
above is this:

         if (!found) {
                 if (second)
                         goto no_page_found;
                 v_val |= HPTE_V_SECONDARY;
                 second = true;
                 goto do_second;
         }

and  "found = true" is set just before a break statement.

Paolo

> +		r = be64_to_cpu(pteg[i+1]);
> +		pp = (r & HPTE_R_PP) | key;
> +		if (r & HPTE_R_PP0)
> +			pp |= 8;
> +	} else {
> +		dprintk("KVM: Index out of bounds!\n");
> +		goto no_page_found;
> +	}
>   
> -	r = be64_to_cpu(pteg[i+1]);
> -	pp = (r & HPTE_R_PP) | key;
> -	if (r & HPTE_R_PP0)
> -		pp |= 8;
>   
>   	gpte->eaddr = eaddr;
>   	gpte->vpage = kvmppc_mmu_book3s_64_ea_to_vp(vcpu, eaddr, data);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ