[bug report] kvm: x86: Add support for getting/setting expanded xstate buffer

All of lore.kernel.org
 help / color / mirror / Atom feed

* [bug report] kvm: x86: Add support for getting/setting expanded xstate buffer
@ 2022-01-11  5:51 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2022-01-11  5:51 UTC (permalink / raw)
  To: guang.zeng; +Cc: kvm

Hello Guang Zeng,

The patch 16786d406fe8: "kvm: x86: Add support for getting/setting
expanded xstate buffer" from Jan 5, 2022, leads to the following
Smatch static checker warning:

	arch/x86/kvm/x86.c:5411 kvm_arch_vcpu_ioctl()
	warn: is memdup() '0-s32max' large enough for 'struct kvm_xsave'

arch/x86/kvm/x86.c
    5390         case KVM_GET_XSAVE: {
    5391                 r = -EINVAL;
    5392                 if (vcpu->arch.guest_fpu.uabi_size > sizeof(struct kvm_xsave))
    5393                         break;
    5394 
    5395                 u.xsave = kzalloc(sizeof(struct kvm_xsave), GFP_KERNEL_ACCOUNT);
    5396                 r = -ENOMEM;
    5397                 if (!u.xsave)
    5398                         break;
    5399 
    5400                 kvm_vcpu_ioctl_x86_get_xsave(vcpu, u.xsave);
    5401 
    5402                 r = -EFAULT;
    5403                 if (copy_to_user(argp, u.xsave, sizeof(struct kvm_xsave)))
    5404                         break;
    5405                 r = 0;
    5406                 break;
    5407         }
    5408         case KVM_SET_XSAVE: {
    5409                 int size = vcpu->arch.guest_fpu.uabi_size;
    5410 

There is no check whether size >= sizeof(struct kvm_xsave).

--> 5411                 u.xsave = memdup_user(argp, size);
    5412                 if (IS_ERR(u.xsave)) {
    5413                         r = PTR_ERR(u.xsave);
    5414                         goto out_nofree;
    5415                 }
    5416 
    5417                 r = kvm_vcpu_ioctl_x86_set_xsave(vcpu, u.xsave);

So this can read out of bounds.

    5418                 break;
    5419         }
    5420 
    5421         case KVM_GET_XSAVE2: {
    5422                 int size = vcpu->arch.guest_fpu.uabi_size;
    5423 
    5424                 u.xsave = kzalloc(size, GFP_KERNEL_ACCOUNT);
    5425                 r = -ENOMEM;
    5426                 if (!u.xsave)
    5427                         break;
    5428 
    5429                 kvm_vcpu_ioctl_x86_get_xsave2(vcpu, u.buffer, size);
    5430 
    5431                 r = -EFAULT;
    5432                 if (copy_to_user(argp, u.xsave, size))
    5433                         break;
    5434 
    5435                 r = 0;
    5436                 break;
    5437         }
    5438 

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2022-01-11  5:51 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-01-11  5:51 [bug report] kvm: x86: Add support for getting/setting expanded xstate buffer Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.