| Message ID | 20241228020119.12379-1-goldside000@outlook.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | arm64: kvm: Fix potential overflow in len | expand |
On Sat, Dec 28, 2024 at 02:01:27AM +0000, Steven Davis wrote: > The MMIO sign-extension logic in kvm_handle_mmio_return can > trigger an integer overflow or undefined behavior when len > is invalid (e.g., len == 0 or len exceeds the size of unsigned > long). Specifically, the expression (len * 8) - 1 may result > in an out-of-bounds shift in the computation of the mask. I don't believe we need this. len is known to be nonzero and at most 8, which is already being tested for in the existing condition. See the definition of kvm_vcpu_dabt_get_as() if you're curious why that is.
On Sat, 28 Dec 2024 02:01:27 +0000, Steven Davis <goldside000@outlook.com> wrote: > > The MMIO sign-extension logic in kvm_handle_mmio_return can > trigger an integer overflow or undefined behavior when len > is invalid (e.g., len == 0 or len exceeds the size of unsigned > long). Specifically, the expression (len * 8) - 1 may result > in an out-of-bounds shift in the computation of the mask. > > This patch adds validation to ensure len is greater than > 0 and less than the size of unsigned long before performing > the sign-extension logic. If len falls outside this range, > the problematic logic is skipped, preventing potential issues. I'd be curious to understand how you came to this conclusion, given how len is computed. If anything, we could *remove* some of the checks, rather than adding additional ones. Also, "skipping" things is rarely an acceptable behaviour when emulating hardware behaviour. M.
diff --git a/arch/arm64/kvm/mmio.c b/arch/arm64/kvm/mmio.c index ab365e839..e4132dbc3 100644 --- a/arch/arm64/kvm/mmio.c +++ b/arch/arm64/kvm/mmio.c @@ -124,12 +124,15 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu) len = kvm_vcpu_dabt_get_as(vcpu); data = kvm_mmio_read_buf(run->mmio.data, len); - if (kvm_vcpu_dabt_issext(vcpu) && - len < sizeof(unsigned long)) { - mask = 1U << ((len * 8) - 1); - data = (data ^ mask) - mask; + if (kvm_vcpu_dabt_issext(vcpu)) { + if (len > 0 && len < sizeof(unsigned long)) { + mask = 1U << ((len * 8) - 1); + data = (data ^ mask) - mask; + } } + + if (!kvm_vcpu_dabt_issf(vcpu)) data = data & 0xffffffff;
The MMIO sign-extension logic in kvm_handle_mmio_return can trigger an integer overflow or undefined behavior when len is invalid (e.g., len == 0 or len exceeds the size of unsigned long). Specifically, the expression (len * 8) - 1 may result in an out-of-bounds shift in the computation of the mask. This patch adds validation to ensure len is greater than 0 and less than the size of unsigned long before performing the sign-extension logic. If len falls outside this range, the problematic logic is skipped, preventing potential issues. Signed-off-by: Steven Davis <goldside000@outlook.com> --- arch/arm64/kvm/mmio.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)