| Message ID | 1496910128-87057-1-git-send-email-wanpeng.li@hotmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On 08/06/2017 10:22, Wanpeng Li wrote: > From: Wanpeng Li <wanpeng.li@hotmail.com> > > If "i" is the last element in the vcpu->arch.cpuid_entries[] array, it > potentially can be exploited the vulnerability. this will out-of-bounds > read and write the unused memory in host OS. > > As Paolo pointed: > >>> /* when no next entry is found, the current entry[i] is reselected */ >>> - for (j = i + 1; ; j = (j + 1) % nent) { >>> - struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j]; >>> - if (ej->function == e->function) { >> >> It reads ej->maxphyaddr, which is user controlled. >> >>> - ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT; >> >> After cpuid_entries there is >> >> int maxphyaddr; >> struct x86_emulate_ctxt emulate_ctxt; /* 16-byte aligned */ >> >> So indeed we have: >> >> - cpuid_entries at offset 1B50 (6992) >> - maxphyaddr at offset 27D0 (6992 + 3200 = 10192) >> - padding at 27D4...27DF >> - emulate_ctxt at 27E0 >> >> So this indeed writes in the padding. Pfew, writing the ops field of >> emulate_ctxt would have been much worse. > > This patch fixes it by modding the index to avoid the out-of-bounds. At > the worst case, i == j and ej->function == e->function, the loop can bail > out. > > Reported-by: Moguofang <moguofang@huawei.com> > Cc: Paolo Bonzini <pbonzini@redhat.com> > Cc: Radim Krčmář <rkrcmar@redhat.com> > Cc: Moguofang <moguofang@huawei.com> > Cc: stable@vger.kernel.org > Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com> > --- > v1 -> v2: > * update patch description Queued, thanks. Paolo > > arch/x86/kvm/cpuid.c | 19 ++++++++++--------- > 1 file changed, 10 insertions(+), 9 deletions(-) > > diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c > index a181ae7..b927a42 100644 > --- a/arch/x86/kvm/cpuid.c > +++ b/arch/x86/kvm/cpuid.c > @@ -779,19 +779,20 @@ int kvm_dev_ioctl_get_cpuid(struct kvm_cpuid2 *cpuid, > > static int move_to_next_stateful_cpuid_entry(struct kvm_vcpu *vcpu, int i) > { > + int j = i, nent = vcpu->arch.cpuid_nent; > struct kvm_cpuid_entry2 *e = &vcpu->arch.cpuid_entries[i]; > - int j, nent = vcpu->arch.cpuid_nent; > + struct kvm_cpuid_entry2 *ej; > > e->flags &= ~KVM_CPUID_FLAG_STATE_READ_NEXT; > /* when no next entry is found, the current entry[i] is reselected */ > - for (j = i + 1; ; j = (j + 1) % nent) { > - struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j]; > - if (ej->function == e->function) { > - ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT; > - return j; > - } > - } > - return 0; /* silence gcc, even though control never reaches here */ > + do { > + j = (j + 1) % nent; > + ej = &vcpu->arch.cpuid_entries[j]; > + } while(ej->function != e->function); > + > + ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT; > + > + return j; > } > > /* find an entry with matching function, matching index (if needed), and that >
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index a181ae7..b927a42 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -779,19 +779,20 @@ int kvm_dev_ioctl_get_cpuid(struct kvm_cpuid2 *cpuid, static int move_to_next_stateful_cpuid_entry(struct kvm_vcpu *vcpu, int i) { + int j = i, nent = vcpu->arch.cpuid_nent; struct kvm_cpuid_entry2 *e = &vcpu->arch.cpuid_entries[i]; - int j, nent = vcpu->arch.cpuid_nent; + struct kvm_cpuid_entry2 *ej; e->flags &= ~KVM_CPUID_FLAG_STATE_READ_NEXT; /* when no next entry is found, the current entry[i] is reselected */ - for (j = i + 1; ; j = (j + 1) % nent) { - struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j]; - if (ej->function == e->function) { - ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT; - return j; - } - } - return 0; /* silence gcc, even though control never reaches here */ + do { + j = (j + 1) % nent; + ej = &vcpu->arch.cpuid_entries[j]; + } while(ej->function != e->function); + + ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT; + + return j; } /* find an entry with matching function, matching index (if needed), and that