From: Cornelia Huck <cornelia.huck@de.ibm.com>
To: Greg Kurz <gkurz@linux.vnet.ibm.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
james.hogan@imgtec.com, mingo@redhat.com,
linux-mips@linux-mips.org, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, qemu-ppc@nongnu.org,
Paul Mackerras <paulus@samba.org>,
David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH v3] KVM: remove buggy vcpu id check on vcpu creation
Date: Wed, 20 Apr 2016 18:48:07 +0200 [thread overview]
Message-ID: <20160420184807.056da314.cornelia.huck@de.ibm.com> (raw)
In-Reply-To: <146116689259.20666.15860134511726195550.stgit@bahia.huguette.org>
On Wed, 20 Apr 2016 17:44:54 +0200
Greg Kurz <gkurz@linux.vnet.ibm.com> wrote:
> Commit 338c7dbadd26 ("KVM: Improve create VCPU parameter (CVE-2013-4587)")
> introduced a check to prevent potential kernel memory corruption in case
> the vcpu id is too great.
>
> Unfortunately this check assumes vcpu ids grow in sequence with a common
> difference of 1, which is wrong: archs are free to use vcpu id as they fit.
> For example, QEMU originated vcpu ids for PowerPC cpus running in boot3s_hv
> mode, can grow with a common difference of 2, 4 or 8: if KVM_MAX_VCPUS is
> 1024, guests may be limited down to 128 vcpus on POWER8.
>
> This means the check does not belong here and should be moved to some arch
> specific function: kvm_arch_vcpu_create() looks like a good candidate.
>
> ARM and s390 already have such a check.
>
> I could not spot any path in the PowerPC or common KVM code where a vcpu
> id is used as described in the above commit: I believe PowerPC can live
> without this check.
>
> In the end, this patch simply moves the check to MIPS and x86.
>
> Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
> ---
> v3: use ERR_PTR()
>
> arch/mips/kvm/mips.c | 7 ++++++-
> arch/x86/kvm/x86.c | 3 +++
> virt/kvm/kvm_main.c | 3 ---
> 3 files changed, 9 insertions(+), 4 deletions(-)
>
Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
next prev parent reply other threads:[~2016-04-20 16:48 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-20 15:44 [PATCH v3] KVM: remove buggy vcpu id check on vcpu creation Greg Kurz
2016-04-20 16:10 ` James Hogan
2016-04-20 16:10 ` James Hogan
2016-04-20 16:48 ` Cornelia Huck [this message]
2016-04-21 13:24 ` David Hildenbrand
2016-04-20 17:02 ` Radim Krčmář
2016-04-20 17:09 ` James Hogan
2016-04-20 17:09 ` James Hogan
2016-04-20 17:27 ` Radim Krčmář
2016-04-20 17:53 ` Greg Kurz
2016-04-20 18:31 ` Radim Krčmář
2016-04-20 18:29 ` Radim Krčmář
2016-04-21 11:29 ` Greg Kurz
2016-04-21 11:29 ` Greg Kurz
2016-04-21 12:26 ` Cornelia Huck
2016-04-21 13:05 ` Greg Kurz
2016-04-21 13:22 ` David Hildenbrand
2016-04-21 15:29 ` Radim Krčmář
2016-04-21 15:49 ` Greg Kurz
2016-04-21 16:08 ` Radim Krčmář
2016-04-21 17:18 ` Greg Kurz
2016-04-21 17:39 ` Radim Krčmář
2016-04-21 18:08 ` Greg Kurz
2016-04-22 1:40 ` Wanpeng Li
2016-04-22 13:07 ` Radim Krčmář
2016-04-23 22:54 ` Wanpeng Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160420184807.056da314.cornelia.huck@de.ibm.com \
--to=cornelia.huck@de.ibm.com \
--cc=david@gibson.dropbear.id.au \
--cc=gkurz@linux.vnet.ibm.com \
--cc=james.hogan@imgtec.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=mingo@redhat.com \
--cc=paulus@samba.org \
--cc=pbonzini@redhat.com \
--cc=qemu-ppc@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.