| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20260125060441.2437515-1-xujiakai2025@iscas.ac.cn> Date: Sun, 25 Jan 2026 06:04:41 +0000 From: Jiakai Xu <jiakaipeanut@...il.com> To: linux-kernel@...r.kernel.org, linux-riscv@...ts.infradead.org, kvm-riscv@...ts.infradead.org, kvm@...r.kernel.org Cc: Alexandre Ghiti <alex@...ti.fr>, Albert Ou <aou@...s.berkeley.edu>, Palmer Dabbelt <palmer@...belt.com>, Paul Walmsley <pjw@...nel.org>, Atish Patra <atish.patra@...ux.dev>, Anup Patel <anup@...infault.org>, Jiakai Xu <xujiakai2025@...as.ac.cn> Subject: [PATCH] RISC-V: KVM: Fix null pointer dereference in kvm_riscv_aia_imsic_has_attr Add a null pointer check for imsic_state before dereferencing it in kvm_riscv_aia_imsic_has_attr(). While the function checks that the vcpu exists, it doesn't verify that the vcpu's imsic_state has been initialized, leading to a null pointer dereference when accessed. This issue was discovered during fuzzing of RISC-V KVM code. The crash occurs when userspace calls KVM_HAS_DEVICE_ATTR ioctl on an AIA IMSIC device before the IMSIC state has been fully initialized for a vcpu. The crash manifests as: Unable to handle kernel paging request at virtual address dfffffff00000001 ... epc : kvm_riscv_aia_imsic_has_attr+0x464/0x50e arch/riscv/kvm/aia_imsic.c:998 ... kvm_riscv_aia_imsic_has_attr+0x464/0x50e arch/riscv/kvm/aia_imsic.c:998 aia_has_attr+0x128/0x2bc arch/riscv/kvm/aia_device.c:471 kvm_device_ioctl_attr virt/kvm/kvm_main.c:4722 [inline] kvm_device_ioctl+0x296/0x374 virt/kvm/kvm_main.c:4739 ... The fix adds a check to return -ENODEV if imsic_state is NULL, which is consistent with other error handling in the function and prevents the null pointer dereference. Reproducer and detailed analysis available at: https://github.com/j1akai/temp/tree/main/20260125 Signed-off-by: Jiakai Xu <xujiakai2025@...as.ac.cn> --- arch/riscv/kvm/aia_imsic.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/riscv/kvm/aia_imsic.c b/arch/riscv/kvm/aia_imsic.c index e597e86491c3b..9c58a66068447 100644 --- a/arch/riscv/kvm/aia_imsic.c +++ b/arch/riscv/kvm/aia_imsic.c @@ -995,6 +995,9 @@ int kvm_riscv_aia_imsic_has_attr(struct kvm *kvm, unsigned long type) isel = KVM_DEV_RISCV_AIA_IMSIC_GET_ISEL(type); imsic = vcpu->arch.aia_context.imsic_state; + if (!imsic) + return -ENODEV; + return imsic_mrif_isel_check(imsic->nr_eix, isel); } -- 2.34.1
Powered by blists - more mailing lists