From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 64DFBC43458 for ; Mon, 29 Jun 2026 13:32:41 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1weC5h-0006LM-BR; Mon, 29 Jun 2026 09:32:01 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1weC5b-0006JQ-OA for qemu-devel@nongnu.org; Mon, 29 Jun 2026 09:31:55 -0400 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1weC5a-00016s-7W for qemu-devel@nongnu.org; Mon, 29 Jun 2026 09:31:55 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1782739913; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=rOKwDWzy3UYS3IH5enbyi9f2ZNOL2MZ7dWbCsK5TCR0=; b=F9uUUQquHs58abEquMRUClzzts9nnKFfoLYV7cbEhHFF5fyesEAGpLyN8dI1v9NC2OEhL8 843H1bWyWkmaDSTwXv5M0IL+SbmZE6pvnJEG95pNB7oFW3lvAZKo1v6T1tGHS2Ory5MyCa 2CpJvSOutKX1per5yAOL+9DoqU7vX0g= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-632-wxc7p7MVNiq_MBRWQPuS_g-1; Mon, 29 Jun 2026 09:31:49 -0400 X-MC-Unique: wxc7p7MVNiq_MBRWQPuS_g-1 X-Mimecast-MFC-AGG-ID: wxc7p7MVNiq_MBRWQPuS_g_1782739908 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A7BEA1955F28; Mon, 29 Jun 2026 13:31:47 +0000 (UTC) Received: from gondolin.redhat.com (unknown [10.44.49.108]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id E56051800662; Mon, 29 Jun 2026 13:31:45 +0000 (UTC) From: Cornelia Huck To: qemu-devel@nongnu.org Cc: qemu-s390x@nongnu.org, Christian Borntraeger , qemu-stable@nongnu.org, Eric Farman , Cornelia Huck Subject: [PULL 1/1] s390x/kvm: clamp stsi 3.2.2 size Date: Mon, 29 Jun 2026 15:31:33 +0200 Message-ID: <20260629133133.1189753-2-cohuck@redhat.com> In-Reply-To: <20260629133133.1189753-1-cohuck@redhat.com> References: <20260629133133.1189753-1-cohuck@redhat.com> MIME-Version: 1.0 Content-type: text/plain Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass client-ip=170.10.133.124; envelope-from=cohuck@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: 8 X-Spam_score: 0.8 X-Spam_bar: / X-Spam_report: (0.8 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.445, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_SBL_CSS=3.335, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Christian Borntraeger The stsi 3.2.2 page is being prepared by the kvm module and the size is clamped by the kernel. As the memory is mapped in the guest, another guest VCPU could race and overwrite the count and messing up the move operation. For any out of bound count, fall back to the kernel buffer. Cc: qemu-stable@nongnu.org Signed-off-by: Christian Borntraeger Reviewed-by: Eric Farman Message-ID: <20260622092035.400959-1-borntraeger@linux.ibm.com> Signed-off-by: Cornelia Huck --- target/s390x/kvm/kvm.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index 2e4f435c5371..fdef8f9e8acc 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -1765,6 +1765,15 @@ static void insert_stsi_3_2_2(S390CPU *cpu, __u64 addr, uint8_t ar) } else if (s390_cpu_virt_mem_read(cpu, addr, ar, &sysib, sizeof(sysib))) { return; } + + /* + * The memory was filled by the kernel but mapped into the guest. + * If something is fishy, do not touch the buffer. + */ + if (sysib.count == 0 || sysib.count > ARRAY_SIZE(sysib.ext_names)) { + return; + } + /* Shift the stack of Extended Names to prepare for our own data */ memmove(&sysib.ext_names[1], &sysib.ext_names[0], sizeof(sysib.ext_names[0]) * (sysib.count - 1)); -- 2.54.0