| Message ID | 20200408064059.8957-1-sean.j.christopherson@intel.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | KVM: Fix out-of-bounds memslot access | expand |
On 08.04.20 08:40, Sean Christopherson wrote: > Two fixes for what are effectively the same bug. The binary search used > for memslot lookup doesn't check the resolved index and can access memory > beyond the end of the memslot array. > > I split the s390 specific change to a separate patch because it's subtly > different, and to simplify backporting. The KVM wide fix can be applied > to stable trees as is, but AFAICT the s390 change would need to be paired > with the !used_slots check from commit 774a964ef56 ("KVM: Fix out of range > accesses to memslots"). This is why I tagged only the KVM wide patch for > stable. You can specify dependencies like see Documentation/process/stable-kernel-rules.rst -----------snip--------------- Additionally, some patches submitted via :ref:`option_1` may have additional patch prerequisites which can be cherry-picked. This can be specified in the following format in the sign-off area: .. code-block:: none Cc: <stable@vger.kernel.org> # 3.3.x: a1f84a3: sched: Check for idle Cc: <stable@vger.kernel.org> # 3.3.x: 1b9508f: sched: Rate-limit newidle Cc: <stable@vger.kernel.org> # 3.3.x: fd21073: sched: Fix affinity logic Cc: <stable@vger.kernel.org> # 3.3.x Signed-off-by: Ingo Molnar <mingo@elte.hu> The tag sequence has the meaning of: .. code-block:: none git cherry-pick a1f84a3 git cherry-pick 1b9508f git cherry-pick fd21073 git cherry-pick <this commit> -----------snip---------------
On 08.04.20 08:40, Sean Christopherson wrote: > Two fixes for what are effectively the same bug. The binary search used > for memslot lookup doesn't check the resolved index and can access memory > beyond the end of the memslot array. > > I split the s390 specific change to a separate patch because it's subtly > different, and to simplify backporting. The KVM wide fix can be applied > to stable trees as is, but AFAICT the s390 change would need to be paired > with the !used_slots check from commit 774a964ef56 ("KVM: Fix out of range I cannot find the commit id 774a964ef56
On Wed, 8 Apr 2020 09:24:27 +0200 Christian Borntraeger <borntraeger@de.ibm.com> wrote: > On 08.04.20 08:40, Sean Christopherson wrote: > > Two fixes for what are effectively the same bug. The binary search used > > for memslot lookup doesn't check the resolved index and can access memory > > beyond the end of the memslot array. > > > > I split the s390 specific change to a separate patch because it's subtly > > different, and to simplify backporting. The KVM wide fix can be applied > > to stable trees as is, but AFAICT the s390 change would need to be paired > > with the !used_slots check from commit 774a964ef56 ("KVM: Fix out of range > > I cannot find the commit id 774a964ef56 > It's 0774a964ef561b7170d8d1b1bfe6f88002b6d219 in my tree.
On Wed, Apr 08, 2020 at 10:10:04AM +0200, Cornelia Huck wrote: > On Wed, 8 Apr 2020 09:24:27 +0200 > Christian Borntraeger <borntraeger@de.ibm.com> wrote: > > > On 08.04.20 08:40, Sean Christopherson wrote: > > > Two fixes for what are effectively the same bug. The binary search used > > > for memslot lookup doesn't check the resolved index and can access memory > > > beyond the end of the memslot array. > > > > > > I split the s390 specific change to a separate patch because it's subtly > > > different, and to simplify backporting. The KVM wide fix can be applied > > > to stable trees as is, but AFAICT the s390 change would need to be paired > > > with the !used_slots check from commit 774a964ef56 ("KVM: Fix out of range > > > > I cannot find the commit id 774a964ef56 > > > > It's 0774a964ef561b7170d8d1b1bfe6f88002b6d219 in my tree. Argh, I botched the copy. Thanks for hunting it down!
Two fixes for what are effectively the same bug. The binary search used for memslot lookup doesn't check the resolved index and can access memory beyond the end of the memslot array. I split the s390 specific change to a separate patch because it's subtly different, and to simplify backporting. The KVM wide fix can be applied to stable trees as is, but AFAICT the s390 change would need to be paired with the !used_slots check from commit 774a964ef56 ("KVM: Fix out of range accesses to memslots"). This is why I tagged only the KVM wide patch for stable. Sean Christopherson (2): KVM: Check validity of resolved slot when searching memslots KVM: s390: Return last valid slot if approx index is out-of-bounds arch/s390/kvm/kvm-s390.c | 3 +++ include/linux/kvm_host.h | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-)