lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAAhSdy1OcQBgV6T5z0K5mMv9pr23_oVVEJpimdzDjgAN3BhYeg@mail.gmail.com>
Date: Fri, 22 Aug 2025 16:58:52 +0530
From: Anup Patel <anup@...infault.org>
To: Radim Krčmář <rkrcmar@...tanamicro.com>
Cc: kvm-riscv@...ts.infradead.org, kvm@...r.kernel.org, 
	linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org, 
	Atish Patra <atishp@...shpatra.org>, Paul Walmsley <paul.walmsley@...ive.com>, 
	Palmer Dabbelt <palmer@...belt.com>, Albert Ou <aou@...s.berkeley.edu>, 
	Alexandre Ghiti <alex@...ti.fr>, Daniel Henrique Barboza <dbarboza@...tanamicro.com>, stable@...r.kernel.org
Subject: Re: [PATCH] RISC-V: KVM: fix stack overrun when loading vlenb

On Tue, Aug 5, 2025 at 4:24 PM Radim Krčmář <rkrcmar@...tanamicro.com> wrote:
>
> The userspace load can put up to 2048 bits into an xlen bit stack
> buffer.  We want only xlen bits, so check the size beforehand.
>
> Fixes: 2fa290372dfe ("RISC-V: KVM: add 'vlenb' Vector CSR")
> Cc: <stable@...r.kernel.org>
> Signed-off-by: Radim Krčmář <rkrcmar@...tanamicro.com>

Queued this as a fix for Linux-6.17

Thanks,
Anup

> ---
>  arch/riscv/kvm/vcpu_vector.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/arch/riscv/kvm/vcpu_vector.c b/arch/riscv/kvm/vcpu_vector.c
> index a5f88cb717f3..05f3cc2d8e31 100644
> --- a/arch/riscv/kvm/vcpu_vector.c
> +++ b/arch/riscv/kvm/vcpu_vector.c
> @@ -182,6 +182,8 @@ int kvm_riscv_vcpu_set_reg_vector(struct kvm_vcpu *vcpu,
>                 struct kvm_cpu_context *cntx = &vcpu->arch.guest_context;
>                 unsigned long reg_val;
>
> +               if (reg_size != sizeof(reg_val))
> +                       return -EINVAL;
>                 if (copy_from_user(&reg_val, uaddr, reg_size))
>                         return -EFAULT;
>                 if (reg_val != cntx->vector.vlenb)
> --
> 2.50.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ