From patchwork Fri Oct 10 10:14:29 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoffer Dall X-Patchwork-Id: 5064321 Return-Path: X-Original-To: patchwork-kvm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.19.201]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 70F909F2F1 for ; Fri, 10 Oct 2014 10:14:50 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 8AD1420165 for ; Fri, 10 Oct 2014 10:14:49 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B2B3C2012F for ; Fri, 10 Oct 2014 10:14:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751853AbaJJKOq (ORCPT ); Fri, 10 Oct 2014 06:14:46 -0400 Received: from mail-la0-f50.google.com ([209.85.215.50]:33844 "EHLO mail-la0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751665AbaJJKOp (ORCPT ); Fri, 10 Oct 2014 06:14:45 -0400 Received: by mail-la0-f50.google.com with SMTP id s18so2955648lam.9 for ; Fri, 10 Oct 2014 03:14:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Ipx/IvR5HpK4fR0IYUufELFmOEjxhtCm6u6NzJsaSvI=; b=iBeI9m4sp7KQo8YcPmoaNq1VHVaxsJSxzjCOoKcOhdZlV2DOK8t0ewJQmLViJjqW6N KL3PvWBE8b+1YlOJ4bKOzMqz/XuWDOBDTOcI+WTylWWm/bmY2UQmPhf4Ebx6W3dtsCIX o4iYIJ3nJPLsU5Am8WkB/JH0qA9sshsHdPz4BXLjD9DwS+9wDocubuFkDpDdQXRqt5Iz WOsGzi7arQmNlq1rTulYtpq7hE9eM7XIPVig1nVNOCgq7bMnRRzy8j6/oZaaGOZwMuZ2 3jDIUtxEvgpTpLVoWKil7o1NtPMDgU0O8ZncMnb6C8abbwLkDlM3FHdsOy1IsKIzXz3F 5Qug== X-Gm-Message-State: ALoCoQk4PGN4vCq8MXGB2z0Yk25GYV4MK8K8XcX+M9w7/SgkBFfnPBW2ysytJpKw1zwycqt+FkL9 X-Received: by 10.112.130.129 with SMTP id oe1mr3638611lbb.4.1412936083686; Fri, 10 Oct 2014 03:14:43 -0700 (PDT) Received: from localhost.localdomain ([188.178.240.98]) by mx.google.com with ESMTPSA id w8sm1682856lbp.46.2014.10.10.03.14.41 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 10 Oct 2014 03:14:42 -0700 (PDT) From: Christoffer Dall To: kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org Cc: Catalin Marinas , kvm@vger.kernel.org, jungseoklee85@gmail.com, Joel Schopp , Christoffer Dall Subject: [PATCH v3 2/3] arm/arm64: KVM: Ensure memslots are within KVM_PHYS_SIZE Date: Fri, 10 Oct 2014 12:14:29 +0200 Message-Id: <1412936070-18860-3-git-send-email-christoffer.dall@linaro.org> X-Mailer: git-send-email 2.1.2.330.g565301e.dirty In-Reply-To: <1412936070-18860-1-git-send-email-christoffer.dall@linaro.org> References: <1412936070-18860-1-git-send-email-christoffer.dall@linaro.org> Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org X-Spam-Status: No, score=-7.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When creating or moving a memslot, make sure the IPA space is within the addressable range of the guest. Otherwise, user space can create too large a memslot and KVM would try to access potentially unallocated page table entries when inserting entries in the Stage-2 page tables. Signed-off-by: Christoffer Dall Acked-by: Catalin Marinas Acked-by: Marc Zyngier --- arch/arm/kvm/mmu.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c index 6e87233..d664bff 100644 --- a/arch/arm/kvm/mmu.c +++ b/arch/arm/kvm/mmu.c @@ -994,6 +994,9 @@ int kvm_handle_guest_abort(struct kvm_vcpu *vcpu, struct kvm_run *run) goto out_unlock; } + /* Userspace should not be able to register out-of-bounds IPAs */ + VM_BUG_ON(fault_ipa >= KVM_PHYS_SIZE); + ret = user_mem_abort(vcpu, fault_ipa, memslot, hva, fault_status); if (ret == 0) ret = 1; @@ -1218,6 +1221,11 @@ int kvm_arch_prepare_memory_region(struct kvm *kvm, struct kvm_userspace_memory_region *mem, enum kvm_mr_change change) { + if (change == KVM_MR_CREATE || change == KVM_MR_MOVE) { + if (memslot->base_gfn + memslot->npages >= + (KVM_PHYS_SIZE >> PAGE_SHIFT)) + return -EFAULT; + } return 0; }