From patchwork Tue May 7 12:55:13 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andre Przywara X-Patchwork-Id: 2533041 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from casper.infradead.org (casper.infradead.org [85.118.1.10]) by patchwork1.kernel.org (Postfix) with ESMTP id 34F843FC5A for ; Tue, 7 May 2013 12:56:23 +0000 (UTC) Received: from merlin.infradead.org ([2001:4978:20e::2]) by casper.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1UZhRN-0001gC-MW; Tue, 07 May 2013 12:56:21 +0000 Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1UZhRK-0002bN-UZ; Tue, 07 May 2013 12:56:18 +0000 Received: from mail-qc0-x235.google.com ([2607:f8b0:400d:c01::235]) by merlin.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1UZhRJ-0002ac-GC for linux-arm-kernel@lists.infradead.org; Tue, 07 May 2013 12:56:17 +0000 Received: by mail-qc0-f181.google.com with SMTP id s10so248228qcv.40 for ; Tue, 07 May 2013 05:55:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:subject:date:message-id:x-mailer :x-gm-message-state; bh=HBiXh48gdUq4nAORBD4UGIWUmey+fU+BLPr54FfPs50=; b=gIznEPdqhXantbYg6mrqWdp4vWbW3m7aQvL1BfYdBN3hgn12IFu7KFshQHcW0AfpJf 9b8/P62mDWgnJkLAfVe3GBfxwzxI9pgFDQ9s2szemYoi3/tWNO+UQaaFChf7shPYPHMr 21/FycgS1pHp9rr3I4IaVOPpvdzttQ5DI6RhL/EzGUQ2uiqloe3DV9YWtcngldtvhnkp dUGXSUqjRDFuKXiEMvK/Yv+QDoYDdkiDViKHObvCNbAEvO/u3QcPyAPuG6PkBrQsxDrA wy+N65qo6yi6wVrKwZIp93mReNGBcYniyJetmRFNApmgocCJtB3IgyPYfH9/TMmqk/B4 db3w== X-Received: by 10.49.6.38 with SMTP id x6mr1455507qex.63.1367931355067; Tue, 07 May 2013 05:55:55 -0700 (PDT) Received: from slackpad.drs.calxeda.com (f053084149.adsl.alicedsl.de. [78.53.84.149]) by mx.google.com with ESMTPSA id j3sm39827455qav.1.2013.05.07.05.55.52 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 07 May 2013 05:55:54 -0700 (PDT) From: Andre Przywara To: cdall@cs.columbia.edu, marc.zyngier@arm.com Subject: [PATCH] ARM: KVM: prevent NULL pointer dereference with KVM ioctl Date: Tue, 7 May 2013 14:55:13 +0200 Message-Id: <1367931313-14839-1-git-send-email-andre.przywara@linaro.org> X-Mailer: git-send-email 1.7.12.1 X-Gm-Message-State: ALoCoQkmE0SlCf+khIXyb5PL6AF0eF0gx9HFn1jzEOaJ56NOlEzJPkFNzPmjg0tJh3jlFoYvs+p1 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20130507_085617_573861_F32BA6AE X-CRM114-Status: GOOD ( 10.43 ) X-Spam-Score: -1.9 (-) X-Spam-Report: SpamAssassin version 3.3.2 on merlin.infradead.org summary: Content analysis details: (-1.9 points) pts rule name description ---- ---------------------- -------------------------------------------------- -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] Cc: peter.maydell@linaro.org, Andre Przywara , kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org, patches@linaro.org X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org Some ARM KVM VCPU ioctls require the vCPU to be properly initialized with the KVM_ARM_VCPU_INIT ioctl before being used with further requests. KVM_RUN checks whether this initialization has been done, but other ioctls do not. Namely KVM_GET_REG_LIST will dereference an array with index -1 without initialization and thus leads to a kernel oops. Fix this by adding checks before executing the ioctl handlers. Signed-off-by: Andre Przywara --- arch/arm/kvm/arm.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c index c1fe498..0c571ff 100644 --- a/arch/arm/kvm/arm.c +++ b/arch/arm/kvm/arm.c @@ -893,6 +893,11 @@ long kvm_arch_vcpu_ioctl(struct file *filp, case KVM_SET_ONE_REG: case KVM_GET_ONE_REG: { struct kvm_one_reg reg; + + /* Make sure they initialize the vcpu with KVM_ARM_VCPU_INIT */ + if (unlikely(vcpu->arch.target < 0)) + return -ENOEXEC; + if (copy_from_user(®, argp, sizeof(reg))) return -EFAULT; if (ioctl == KVM_SET_ONE_REG) @@ -905,6 +910,10 @@ long kvm_arch_vcpu_ioctl(struct file *filp, struct kvm_reg_list reg_list; unsigned n; + /* Make sure they initialize the vcpu with KVM_ARM_VCPU_INIT */ + if (unlikely(vcpu->arch.target < 0)) + return -ENOEXEC; + if (copy_from_user(®_list, user_list, sizeof(reg_list))) return -EFAULT; n = reg_list.n;