From: sashiko-bot@kernel.org
To: "Yanfei Xu" <yanfei.xu@bytedance.com>
Cc: kvm@vger.kernel.org
Subject: Re: [v2 1/2] KVM: LoongArch: Validate irqchip index in irqfd routing
Date: Sun, 31 May 2026 14:09:20 +0000 [thread overview]
Message-ID: <20260531140921.1B1181F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260531135326.2238555-2-yanfei.xu@bytedance.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [Critical] Missing bounds check on the `e->msi.data` value before using it as an `irq` index in `eiointc_set_irq()` leads to an out-of-bounds memory read and write.
--
commit 217e342828fa29f1b763464cad52ec8a004759a7
Author: Yanfei Xu <yanfei.xu@bytedance.com>
KVM: LoongArch: Validate irqchip index in irqfd routing
This commit adds validation for the irqchip index and pin in the LoongArch
KVM irqfd routing setup to prevent out-of-bounds array access.
Closes: https://lore.kernel.org/kvm/20260525051714.485D51F000E9@smtp.kernel.org/
> diff --git a/arch/loongarch/kvm/irqfd.c b/arch/loongarch/kvm/irqfd.c
> index f4f953b224192..40ed1081c4b62 100644
> --- a/arch/loongarch/kvm/irqfd.c
> +++ b/arch/loongarch/kvm/irqfd.c
> @@ -51,7 +51,8 @@ int kvm_set_routing_entry(struct kvm *kvm,
> e->irqchip.irqchip = ue->u.irqchip.irqchip;
> e->irqchip.pin = ue->u.irqchip.pin;
>
> - if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS)
> + if (e->irqchip.pin >= KVM_IRQCHIP_NUM_PINS ||
> + e->irqchip.irqchip >= KVM_NR_IRQCHIPS)
> return -EINVAL;
>
> return 0;
[Severity: Critical]
This is a pre-existing issue, but does this code also need bounds checking
for the MSI routing case?
When handling KVM_IRQ_ROUTING_MSI in kvm_set_routing_entry(), we copy the
user-controlled ue->u.msi.data into e->msi.data without any validation:
e->msi.data = ue->u.msi.data;
During MSI injection, kvm_set_msi() passes this value down to
pch_msi_set_irq(), which directly uses it as the irq parameter:
eiointc_set_irq(kvm->arch.eiointc, e->msi.data, level);
Inside eiointc_set_irq(), this untrusted value is used as an index in
bitwise operations against s->isr and passed to eiointc_update_irq():
level ? __set_bit(irq, isr) : __clear_bit(irq, isr);
...
cpu = s->sw_coremap[irq];
Could this allow a malicious guest or unprivileged host userspace to perform
an out-of-bounds memory read and write against the eiointc allocation?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260531135326.2238555-1-yanfei.xu@bytedance.com?part=1
next prev parent reply other threads:[~2026-05-31 14:09 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-31 13:53 [v2 0/2] KVM: Validate irqchip index in routing entries Yanfei Xu
2026-05-31 13:53 ` [v2 1/2] KVM: LoongArch: Validate irqchip index in irqfd routing Yanfei Xu
2026-05-31 14:09 ` sashiko-bot [this message]
2026-06-07 4:41 ` Huacai Chen
2026-05-31 13:53 ` [v2 2/2] KVM: PPC: Validate irqchip index in MPIC routing Yanfei Xu
2026-05-31 14:15 ` [v2 0/2] KVM: Validate irqchip index in routing entries Greg KH
2026-05-31 14:36 ` Yanfei Xu
2026-05-31 15:25 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260531140921.1B1181F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=yanfei.xu@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.