* [PULL 0/1] s390x/kvm fix for potential crash
@ 2026-06-29 13:31 Cornelia Huck
2026-06-29 13:31 ` [PULL 1/1] s390x/kvm: clamp stsi 3.2.2 size Cornelia Huck
2026-06-29 18:29 ` [PULL 0/1] s390x/kvm fix for potential crash Stefan Hajnoczi
0 siblings, 2 replies; 3+ messages in thread
From: Cornelia Huck @ 2026-06-29 13:31 UTC (permalink / raw)
To: qemu-devel; +Cc: qemu-s390x, Cornelia Huck
The following changes since commit 60533c6193ede6ce403e82d09d82ae2bc8fb423a:
Merge tag 'ui-pr-v1' of https://gitlab.com/marcandre.lureau/qemu into staging (2026-06-25 16:58:35 -0400)
are available in the Git repository at:
https://gitlab.com/cohuck/qemu tags/s390x-20260629
for you to fetch changes up to a57e4612b61da20ddab196502c76b4dc05da1de8:
s390x/kvm: clamp stsi 3.2.2 size (2026-06-26 11:56:44 +0200)
----------------------------------------------------------------
Fix a potential way for an s390x/kvm guest to crash QEMU while filling a STSI buffer.
----------------------------------------------------------------
Christian Borntraeger (1):
s390x/kvm: clamp stsi 3.2.2 size
target/s390x/kvm/kvm.c | 9 +++++++++
1 file changed, 9 insertions(+)
--
2.54.0
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PULL 1/1] s390x/kvm: clamp stsi 3.2.2 size
2026-06-29 13:31 [PULL 0/1] s390x/kvm fix for potential crash Cornelia Huck
@ 2026-06-29 13:31 ` Cornelia Huck
2026-06-29 18:29 ` [PULL 0/1] s390x/kvm fix for potential crash Stefan Hajnoczi
1 sibling, 0 replies; 3+ messages in thread
From: Cornelia Huck @ 2026-06-29 13:31 UTC (permalink / raw)
To: qemu-devel
Cc: qemu-s390x, Christian Borntraeger, qemu-stable, Eric Farman,
Cornelia Huck
From: Christian Borntraeger <borntraeger@linux.ibm.com>
The stsi 3.2.2 page is being prepared by the kvm module and the size is
clamped by the kernel. As the memory is mapped in the guest, another
guest VCPU could race and overwrite the count and messing up the move
operation. For any out of bound count, fall back to the kernel buffer.
Cc: qemu-stable@nongnu.org
Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
Message-ID: <20260622092035.400959-1-borntraeger@linux.ibm.com>
Signed-off-by: Cornelia Huck <cohuck@redhat.com>
---
target/s390x/kvm/kvm.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c
index 2e4f435c5371..fdef8f9e8acc 100644
--- a/target/s390x/kvm/kvm.c
+++ b/target/s390x/kvm/kvm.c
@@ -1765,6 +1765,15 @@ static void insert_stsi_3_2_2(S390CPU *cpu, __u64 addr, uint8_t ar)
} else if (s390_cpu_virt_mem_read(cpu, addr, ar, &sysib, sizeof(sysib))) {
return;
}
+
+ /*
+ * The memory was filled by the kernel but mapped into the guest.
+ * If something is fishy, do not touch the buffer.
+ */
+ if (sysib.count == 0 || sysib.count > ARRAY_SIZE(sysib.ext_names)) {
+ return;
+ }
+
/* Shift the stack of Extended Names to prepare for our own data */
memmove(&sysib.ext_names[1], &sysib.ext_names[0],
sizeof(sysib.ext_names[0]) * (sysib.count - 1));
--
2.54.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PULL 0/1] s390x/kvm fix for potential crash
2026-06-29 13:31 [PULL 0/1] s390x/kvm fix for potential crash Cornelia Huck
2026-06-29 13:31 ` [PULL 1/1] s390x/kvm: clamp stsi 3.2.2 size Cornelia Huck
@ 2026-06-29 18:29 ` Stefan Hajnoczi
1 sibling, 0 replies; 3+ messages in thread
From: Stefan Hajnoczi @ 2026-06-29 18:29 UTC (permalink / raw)
To: Cornelia Huck; +Cc: qemu-devel, qemu-s390x, Cornelia Huck
[-- Attachment #1: Type: text/plain, Size: 116 bytes --]
Applied, thanks.
Please update the changelog at https://wiki.qemu.org/ChangeLog/11.1 for any user-visible changes.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-29 18:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 13:31 [PULL 0/1] s390x/kvm fix for potential crash Cornelia Huck
2026-06-29 13:31 ` [PULL 1/1] s390x/kvm: clamp stsi 3.2.2 size Cornelia Huck
2026-06-29 18:29 ` [PULL 0/1] s390x/kvm fix for potential crash Stefan Hajnoczi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.