From patchwork Mon Feb 26 10:05:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marc Zyngier X-Patchwork-Id: 13571824 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id F3EBAC54E51 for ; Mon, 26 Feb 2024 10:09:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=GXRhi+ETNjRZ/+tMRI7ELgDorBQiSiFM/ZWR5SfV8Xw=; b=lAbqE3kNAxH0qN ChQqD0xOdK7TaNUHc6p+xNxM1UAl8iyxyidkO73ccBmvpQUjRrNkhGr8a51D9qedUJR9vQFyTJjhy O0L+qZH+LynnljLrtIpOlMoJx+mzIWPxM07ILhz1cxjQDd866NKnYd6tu0EP2nZxxKjRbek4Z80Fv j979u4cLvEFyyAUCWDDidgfVxsCTiROHIFSaqBligJGhqmWxf5scNb38n4qBJHrUohsFCRFE1g5gZ JHEZyWhNmJqNGuJjS8NfOcd3NLYyCwr5YLcYO59mxRH0He1esV06Wa6nf75d78/0DpywkeKRI+a9N ycP5cOI9jHd1ZPY5wvhA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1reXuY-0000000HXvQ-2NCn; Mon, 26 Feb 2024 10:08:38 +0000 Received: from desiato.infradead.org ([2001:8b0:10b:1:d65d:64ff:fe57:4e05]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1reXtw-0000000HXiO-0eaU for linux-arm-kernel@bombadil.infradead.org; Mon, 26 Feb 2024 10:08:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=desiato.20200630; h=Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description; bh=+C7QGkE+e5Tca8y7x4jvyNBPatXiti7nrTBGWVGTw9A=; b=jU2zP9Bv0zHt+YJrPn3T/bsqwQ SlBEuv/CmD3AlAWWBdNPnB5JcJztPGNVx/xgn7rffPt91rrGNb9JeEoBr1vJxBMMNa8RexwV5QfY/ 1bZh6gVbguGofJA2JJVe84cIhChD67tYcmEksFNBSuErmrfDbtKr/U9BFU5oW2DJpLAoh2tAQD1qC gT1lUH1LPE0/idzTRIcH5A+ORjJ4bMyHZcCBLh2bsvKEdlUyMR5U8l/uD5ipxIvQlsGYtxvYRkgnr M3ALXpfOc0Aw6V6GsNFpBpLtSIeu4CqonqmPbHTpWSgZCdozqOUzGU3eqlHqX4JdjeMlUkqY9Iave rNib4uGQ==; Received: from dfw.source.kernel.org ([139.178.84.217]) by desiato.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1reXtq-00000001703-1w46 for linux-arm-kernel@lists.infradead.org; Mon, 26 Feb 2024 10:07:58 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 1FC6760FCA; Mon, 26 Feb 2024 10:07:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DFC41C43394; Mon, 26 Feb 2024 10:07:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1708942054; bh=I/0qcEQ1vzLU0qnD+UitYiE6zuVdPy7kzlaKwTqcXrA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Q2FMuR3r7I/RNuP/7IOwXDtKN4w/bfDTf5wIRPNklx9KbFyFMZRmBXkKnCooXZATr 1IGreiHzyQYyJ5qqgf4nRlay7pc9MWV1dX5s8HNtH4dOYp2gtF9mujiOCHb6yjkeLu CNzmTS5QU5om9pkmxty2BzqFdUl4CAEWNEk+/dDLlFnnbdLTbchybtoQINb1dxt2Ri wpkPbKs9epkC+dHJeHmgYhKcDVDiF9MQi/sDaCleh59jzQOSOi6aiZXzEHQ/ne137H pdsCHJ5e5dIIVj6j4fpGqfZN8we2mIVHSi1j6LpMi2vD90EH3ZgM3lBbt1EWawkNfo ZwBuXo3W/0okA== Received: from sofa.misterjones.org ([185.219.108.64] helo=valley-girl.lan) by disco-boy.misterjones.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1reXtU-006nQ5-4h; Mon, 26 Feb 2024 10:07:32 +0000 From: Marc Zyngier To: kvmarm@lists.linux.dev, kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org Cc: James Morse , Suzuki K Poulose , Oliver Upton , Zenghui Yu , Joey Gouly , Will Deacon , Catalin Marinas Subject: [PATCH v2 01/13] KVM: arm64: Harden __ctxt_sys_reg() against out-of-range values Date: Mon, 26 Feb 2024 10:05:49 +0000 Message-Id: <20240226100601.2379693-2-maz@kernel.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240226100601.2379693-1-maz@kernel.org> References: <20240226100601.2379693-1-maz@kernel.org> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 185.219.108.64 X-SA-Exim-Rcpt-To: kvmarm@lists.linux.dev, kvm@vger.kernel.org, linux-arm-kernel@lists.infradead.org, james.morse@arm.com, suzuki.poulose@arm.com, oliver.upton@linux.dev, yuzenghui@huawei.com, joey.gouly@arm.com, will@kernel.org, catalin.marinas@arm.com X-SA-Exim-Mail-From: maz@kernel.org X-SA-Exim-Scanned: No (on disco-boy.misterjones.org); SAEximRunCond expanded to false X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240226_100755_068831_3A57E0A8 X-CRM114-Status: GOOD ( 12.05 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The unsuspecting kernel tinkerer can be easily confused into writing something that looks like this: ikey.lo = __vcpu_sys_reg(vcpu, SYS_APIAKEYLO_EL1); which seems vaguely sensible, until you realise that the second parameter is the encoding of a sysreg, and not the index into the vcpu sysreg file... Debugging what happens in this case is an interesting exercise in head<->wall interactions. As they often say: "Any resemblance to actual persons, living or dead, or actual events is purely coincidental". In order to save people's time, add some compile-time hardening that will at least weed out the "stupidly out of range" values. This will *not* catch anything that isn't a compile-time constant. Reviewed-by: Joey Gouly Signed-off-by: Marc Zyngier --- arch/arm64/include/asm/kvm_host.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/arch/arm64/include/asm/kvm_host.h b/arch/arm64/include/asm/kvm_host.h index 181fef12e8e8..a5ec4c7d3966 100644 --- a/arch/arm64/include/asm/kvm_host.h +++ b/arch/arm64/include/asm/kvm_host.h @@ -895,7 +895,7 @@ struct kvm_vcpu_arch { * Don't bother with VNCR-based accesses in the nVHE code, it has no * business dealing with NV. */ -static inline u64 *__ctxt_sys_reg(const struct kvm_cpu_context *ctxt, int r) +static inline u64 *___ctxt_sys_reg(const struct kvm_cpu_context *ctxt, int r) { #if !defined (__KVM_NVHE_HYPERVISOR__) if (unlikely(cpus_have_final_cap(ARM64_HAS_NESTED_VIRT) && @@ -905,6 +905,13 @@ static inline u64 *__ctxt_sys_reg(const struct kvm_cpu_context *ctxt, int r) return (u64 *)&ctxt->sys_regs[r]; } +#define __ctxt_sys_reg(c,r) \ + ({ \ + BUILD_BUG_ON(__builtin_constant_p(r) && \ + (r) >= NR_SYS_REGS); \ + ___ctxt_sys_reg(c, r); \ + }) + #define ctxt_sys_reg(c,r) (*__ctxt_sys_reg(c,r)) u64 kvm_vcpu_sanitise_vncr_reg(const struct kvm_vcpu *, enum vcpu_sysreg);