[bug report] kvm: x86: Add support for getting/setting expanded xstate buffer

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: guang.zeng@intel.com
Cc: kvm@vger.kernel.org
Subject: [bug report] kvm: x86: Add support for getting/setting expanded xstate buffer
Date: Tue, 11 Jan 2022 08:51:17 +0300	[thread overview]
Message-ID: <20220111055117.GA3117@kili> (raw)

Hello Guang Zeng,

The patch 16786d406fe8: "kvm: x86: Add support for getting/setting
expanded xstate buffer" from Jan 5, 2022, leads to the following
Smatch static checker warning:

	arch/x86/kvm/x86.c:5411 kvm_arch_vcpu_ioctl()
	warn: is memdup() '0-s32max' large enough for 'struct kvm_xsave'

arch/x86/kvm/x86.c
    5390         case KVM_GET_XSAVE: {
    5391                 r = -EINVAL;
    5392                 if (vcpu->arch.guest_fpu.uabi_size > sizeof(struct kvm_xsave))
    5393                         break;
    5394 
    5395                 u.xsave = kzalloc(sizeof(struct kvm_xsave), GFP_KERNEL_ACCOUNT);
    5396                 r = -ENOMEM;
    5397                 if (!u.xsave)
    5398                         break;
    5399 
    5400                 kvm_vcpu_ioctl_x86_get_xsave(vcpu, u.xsave);
    5401 
    5402                 r = -EFAULT;
    5403                 if (copy_to_user(argp, u.xsave, sizeof(struct kvm_xsave)))
    5404                         break;
    5405                 r = 0;
    5406                 break;
    5407         }
    5408         case KVM_SET_XSAVE: {
    5409                 int size = vcpu->arch.guest_fpu.uabi_size;
    5410 

There is no check whether size >= sizeof(struct kvm_xsave).

--> 5411                 u.xsave = memdup_user(argp, size);
    5412                 if (IS_ERR(u.xsave)) {
    5413                         r = PTR_ERR(u.xsave);
    5414                         goto out_nofree;
    5415                 }
    5416 
    5417                 r = kvm_vcpu_ioctl_x86_set_xsave(vcpu, u.xsave);

So this can read out of bounds.

    5418                 break;
    5419         }
    5420 
    5421         case KVM_GET_XSAVE2: {
    5422                 int size = vcpu->arch.guest_fpu.uabi_size;
    5423 
    5424                 u.xsave = kzalloc(size, GFP_KERNEL_ACCOUNT);
    5425                 r = -ENOMEM;
    5426                 if (!u.xsave)
    5427                         break;
    5428 
    5429                 kvm_vcpu_ioctl_x86_get_xsave2(vcpu, u.buffer, size);
    5430 
    5431                 r = -EFAULT;
    5432                 if (copy_to_user(argp, u.xsave, size))
    5433                         break;
    5434 
    5435                 r = 0;
    5436                 break;
    5437         }
    5438 

regards,
dan carpenter

                 reply	other threads:[~2022-01-11  5:51 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220111055117.GA3117@kili \
    --to=dan.carpenter@oracle.com \
    --cc=guang.zeng@intel.com \
    --cc=kvm@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.