| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241108163228.374110-1-pbonzini@redhat.com>
Date: Fri, 8 Nov 2024 11:32:28 -0500
From: Paolo Bonzini <pbonzini@...hat.com>
To: linux-kernel@...r.kernel.org,
kvm@...r.kernel.org
Cc: michael.roth@....com,
seanjc@...gle.com
Subject: [PATCH 2.5/3] KVM: gmem: limit hole-punching to ranges within the file
Do not pass out-of-bounds values to kvm_gmem_mark_range_unprepared().
Signed-off-by: Paolo Bonzini <pbonzini@...hat.com>
---
virt/kvm/guest_memfd.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
Sent separately because I thought this was a bug also in the current
code but, on closer look, it is fine because ksys_fallocate checks that
there is no overflow.
diff --git a/virt/kvm/guest_memfd.c b/virt/kvm/guest_memfd.c
index 412d49c6d491..7dc89ceef782 100644
--- a/virt/kvm/guest_memfd.c
+++ b/virt/kvm/guest_memfd.c
@@ -324,10 +324,17 @@ static void kvm_gmem_invalidate_end(struct kvm_gmem *gmem, pgoff_t start,
static long kvm_gmem_punch_hole(struct inode *inode, loff_t offset, loff_t len)
{
struct list_head *gmem_list = &inode->i_mapping->i_private_list;
- pgoff_t start = offset >> PAGE_SHIFT;
- pgoff_t end = (offset + len) >> PAGE_SHIFT;
+ loff_t size = i_size_read(inode);
+ pgoff_t start, end;
struct kvm_gmem *gmem;
+ if (offset > size)
+ return 0;
+
+ len = min(size - offset, len);
+ start = offset >> PAGE_SHIFT;
+ end = (offset + len) >> PAGE_SHIFT;
+
/*
* Bindings must be stable across invalidation to ensure the start+end
* are balanced.
--
2.43.5
Powered by blists - more mailing lists