From: Mirsad Todorovac <mtodorovac69@gmail.com>
To: kvm@vger.kernel.org
Cc: Sean Christopherson <seanjc@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
linux-kernel@vger.kernel.org,
David Edmondson <david.edmondson@oracle.com>
Subject: [BUG] arch/x86/kvm/x86.c: In function ‘prepare_emulation_failure_exit’: error: use of NULL ‘data’ where non-null expected
Date: Fri, 19 Jul 2024 20:22:05 +0200 [thread overview]
Message-ID: <1eb96f85-edee-45fc-930f-a192cecbf54c@gmail.com> (raw)
Hi, all!
On linux-stable 6.10 vanilla tree, another NULL pointer is passed, which was detected
by the fortify-string.h mechanism.
arch/x86/kvm/x86.c
==================
13667 kvm_prepare_emulation_failure_exit(vcpu);
calls
8796 __kvm_prepare_emulation_failure_exit(vcpu, NULL, 0);
which calls
8790 prepare_emulation_failure_exit(vcpu, data, ndata, NULL, 0);
Note here that data == NULL and ndata = 0.
again data == NULL and ndata == 0, which passes unchanged all until
8773 memcpy(&run->internal.data[info_start + ARRAY_SIZE(info)], data, ndata * sizeof(data[0]));
The problem code was introduced with the commit e615e355894e6.
arch/x86/kvm/x86.c
==================
8728 static void prepare_emulation_failure_exit(struct kvm_vcpu *vcpu, u64 *data,
8729 u8 ndata, u8 *insn_bytes, u8 insn_size)
8730 {
8731 struct kvm_run *run = vcpu->run;
8732 u64 info[5];
8733 u8 info_start;
8734
8735 /*
8736 * Zero the whole array used to retrieve the exit info, as casting to
8737 * u32 for select entries will leave some chunks uninitialized.
8738 */
8739 memset(&info, 0, sizeof(info));
8740
8741 static_call(kvm_x86_get_exit_info)(vcpu, (u32 *)&info[0], &info[1],
8742 &info[2], (u32 *)&info[3],
8743 (u32 *)&info[4]);
8744
8745 run->exit_reason = KVM_EXIT_INTERNAL_ERROR;
8746 run->emulation_failure.suberror = KVM_INTERNAL_ERROR_EMULATION;
8747
8748 /*
8749 * There's currently space for 13 entries, but 5 are used for the exit
8750 * reason and info. Restrict to 4 to reduce the maintenance burden
8751 * when expanding kvm_run.emulation_failure in the future.
8752 */
8753 if (WARN_ON_ONCE(ndata > 4))
8754 ndata = 4;
8755
8756 /* Always include the flags as a 'data' entry. */
8757 info_start = 1;
8758 run->emulation_failure.flags = 0;
8759
8760 if (insn_size) {
8761 BUILD_BUG_ON((sizeof(run->emulation_failure.insn_size) +
8762 sizeof(run->emulation_failure.insn_bytes) != 16));
8763 info_start += 2;
8764 run->emulation_failure.flags |=
8765 KVM_INTERNAL_ERROR_EMULATION_FLAG_INSTRUCTION_BYTES;
8766 run->emulation_failure.insn_size = insn_size;
8767 memset(run->emulation_failure.insn_bytes, 0x90,
8768 sizeof(run->emulation_failure.insn_bytes));
8769 memcpy(run->emulation_failure.insn_bytes, insn_bytes, insn_size);
8770 }
8771
8772 memcpy(&run->internal.data[info_start], info, sizeof(info));
8773 memcpy(&run->internal.data[info_start + ARRAY_SIZE(info)], data,
8774 ndata * sizeof(data[0]));
8775
8776 run->emulation_failure.ndata = info_start + ARRAY_SIZE(info) + ndata;
8777 }
8778
8779 static void prepare_emulation_ctxt_failure_exit(struct kvm_vcpu *vcpu)
8780 {
8781 struct x86_emulate_ctxt *ctxt = vcpu->arch.emulate_ctxt;
8782
8783 prepare_emulation_failure_exit(vcpu, NULL, 0, ctxt->fetch.data,
8784 ctxt->fetch.end - ctxt->fetch.data);
8785 }
8786
8787 void __kvm_prepare_emulation_failure_exit(struct kvm_vcpu *vcpu, u64 *data,
8788 u8 ndata)
8789 {
8790 prepare_emulation_failure_exit(vcpu, data, ndata, NULL, 0);
8791 }
8792 EXPORT_SYMBOL_GPL(__kvm_prepare_emulation_failure_exit);
8793
8794 void kvm_prepare_emulation_failure_exit(struct kvm_vcpu *vcpu)
8795 {
8796 __kvm_prepare_emulation_failure_exit(vcpu, NULL, 0);
8797 }
Probably before memcpy() with ndata == 0 ended in a NOOP, but now CONFIG_FORTIFY_SOURCE=y
turns a warning, or prevents the build with -Werror.
Hope this helps.
Best regards,
Mirsad Todorovac
next reply other threads:[~2024-07-19 18:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-19 18:22 Mirsad Todorovac [this message]
2024-07-19 19:01 ` [BUG] arch/x86/kvm/x86.c: In function ‘prepare_emulation_failure_exit’: error: use of NULL ‘data’ where non-null expected Sean Christopherson
2024-07-19 19:24 ` Mirsad Todorovac
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1eb96f85-edee-45fc-930f-a192cecbf54c@gmail.com \
--to=mtodorovac69@gmail.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=david.edmondson@oracle.com \
--cc=hpa@zytor.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.