All of lore.kernel.org
 help / color / mirror / Atom feed
* [PULL 0/1] s390x/kvm fix for potential crash
@ 2026-06-29 13:31 Cornelia Huck
  2026-06-29 13:31 ` [PULL 1/1] s390x/kvm: clamp stsi 3.2.2 size Cornelia Huck
  2026-06-29 18:29 ` [PULL 0/1] s390x/kvm fix for potential crash Stefan Hajnoczi
  0 siblings, 2 replies; 3+ messages in thread
From: Cornelia Huck @ 2026-06-29 13:31 UTC (permalink / raw)
  To: qemu-devel; +Cc: qemu-s390x, Cornelia Huck

The following changes since commit 60533c6193ede6ce403e82d09d82ae2bc8fb423a:

  Merge tag 'ui-pr-v1' of https://gitlab.com/marcandre.lureau/qemu into staging (2026-06-25 16:58:35 -0400)

are available in the Git repository at:

  https://gitlab.com/cohuck/qemu tags/s390x-20260629

for you to fetch changes up to a57e4612b61da20ddab196502c76b4dc05da1de8:

  s390x/kvm: clamp stsi 3.2.2 size (2026-06-26 11:56:44 +0200)

----------------------------------------------------------------
Fix a potential way for an s390x/kvm guest to crash QEMU while filling a STSI buffer.

----------------------------------------------------------------

Christian Borntraeger (1):
  s390x/kvm: clamp stsi 3.2.2 size

 target/s390x/kvm/kvm.c | 9 +++++++++
 1 file changed, 9 insertions(+)

-- 
2.54.0



^ permalink raw reply	[flat|nested] 3+ messages in thread

* [PULL 1/1] s390x/kvm: clamp stsi 3.2.2 size
  2026-06-29 13:31 [PULL 0/1] s390x/kvm fix for potential crash Cornelia Huck
@ 2026-06-29 13:31 ` Cornelia Huck
  2026-06-29 18:29 ` [PULL 0/1] s390x/kvm fix for potential crash Stefan Hajnoczi
  1 sibling, 0 replies; 3+ messages in thread
From: Cornelia Huck @ 2026-06-29 13:31 UTC (permalink / raw)
  To: qemu-devel
  Cc: qemu-s390x, Christian Borntraeger, qemu-stable, Eric Farman,
	Cornelia Huck

From: Christian Borntraeger <borntraeger@linux.ibm.com>

The stsi 3.2.2 page is being prepared by the kvm module and the size is
clamped by the kernel. As the memory is mapped in the guest, another
guest VCPU could race and overwrite the count and messing up the move
operation. For any out of bound count, fall back to the kernel buffer.

Cc: qemu-stable@nongnu.org
Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Message-ID: <20260622092035.400959-1-borntraeger@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
---
 target/s390x/kvm/kvm.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c
index 2e4f435c5371..fdef8f9e8acc 100644
--- a/target/s390x/kvm/kvm.c
+++ b/target/s390x/kvm/kvm.c
@@ -1765,6 +1765,15 @@ static void insert_stsi_3_2_2(S390CPU *cpu, __u64 addr, uint8_t ar)
     } else if (s390_cpu_virt_mem_read(cpu, addr, ar, &sysib, sizeof(sysib))) {
         return;
     }
+
+    /*
+     * The memory was filled by the kernel but mapped into the guest.
+     * If something is fishy, do not touch the buffer.
+     */
+    if (sysib.count == 0 || sysib.count > ARRAY_SIZE(sysib.ext_names)) {
+        return;
+    }
+
     /* Shift the stack of Extended Names to prepare for our own data */
     memmove(&sysib.ext_names[1], &sysib.ext_names[0],
             sizeof(sysib.ext_names[0]) * (sysib.count - 1));
-- 
2.54.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PULL 0/1] s390x/kvm fix for potential crash
  2026-06-29 13:31 [PULL 0/1] s390x/kvm fix for potential crash Cornelia Huck
  2026-06-29 13:31 ` [PULL 1/1] s390x/kvm: clamp stsi 3.2.2 size Cornelia Huck
@ 2026-06-29 18:29 ` Stefan Hajnoczi
  1 sibling, 0 replies; 3+ messages in thread
From: Stefan Hajnoczi @ 2026-06-29 18:29 UTC (permalink / raw)
  To: Cornelia Huck; +Cc: qemu-devel, qemu-s390x, Cornelia Huck

[-- Attachment #1: Type: text/plain, Size: 116 bytes --]

Applied, thanks.

Please update the changelog at https://wiki.qemu.org/ChangeLog/11.1 for any user-visible changes.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-29 18:30 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 13:31 [PULL 0/1] s390x/kvm fix for potential crash Cornelia Huck
2026-06-29 13:31 ` [PULL 1/1] s390x/kvm: clamp stsi 3.2.2 size Cornelia Huck
2026-06-29 18:29 ` [PULL 0/1] s390x/kvm fix for potential crash Stefan Hajnoczi

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.