* [PULL 0/1] s390x/kvm fix for potential crash @ 2026-06-29 13:31 Cornelia Huck 2026-06-29 13:31 ` [PULL 1/1] s390x/kvm: clamp stsi 3.2.2 size Cornelia Huck 2026-06-29 18:29 ` [PULL 0/1] s390x/kvm fix for potential crash Stefan Hajnoczi 0 siblings, 2 replies; 3+ messages in thread From: Cornelia Huck @ 2026-06-29 13:31 UTC (permalink / raw) To: qemu-devel; +Cc: qemu-s390x, Cornelia Huck The following changes since commit 60533c6193ede6ce403e82d09d82ae2bc8fb423a: Merge tag 'ui-pr-v1' of https://gitlab.com/marcandre.lureau/qemu into staging (2026-06-25 16:58:35 -0400) are available in the Git repository at: https://gitlab.com/cohuck/qemu tags/s390x-20260629 for you to fetch changes up to a57e4612b61da20ddab196502c76b4dc05da1de8: s390x/kvm: clamp stsi 3.2.2 size (2026-06-26 11:56:44 +0200) ---------------------------------------------------------------- Fix a potential way for an s390x/kvm guest to crash QEMU while filling a STSI buffer. ---------------------------------------------------------------- Christian Borntraeger (1): s390x/kvm: clamp stsi 3.2.2 size target/s390x/kvm/kvm.c | 9 +++++++++ 1 file changed, 9 insertions(+) -- 2.54.0 ^ permalink raw reply [flat|nested] 3+ messages in thread
* [PULL 1/1] s390x/kvm: clamp stsi 3.2.2 size 2026-06-29 13:31 [PULL 0/1] s390x/kvm fix for potential crash Cornelia Huck @ 2026-06-29 13:31 ` Cornelia Huck 2026-06-29 18:29 ` [PULL 0/1] s390x/kvm fix for potential crash Stefan Hajnoczi 1 sibling, 0 replies; 3+ messages in thread From: Cornelia Huck @ 2026-06-29 13:31 UTC (permalink / raw) To: qemu-devel Cc: qemu-s390x, Christian Borntraeger, qemu-stable, Eric Farman, Cornelia Huck From: Christian Borntraeger <borntraeger@linux.ibm.com> The stsi 3.2.2 page is being prepared by the kvm module and the size is clamped by the kernel. As the memory is mapped in the guest, another guest VCPU could race and overwrite the count and messing up the move operation. For any out of bound count, fall back to the kernel buffer. Cc: qemu-stable@nongnu.org Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com> Reviewed-by: Eric Farman <farman@linux.ibm.com> Message-ID: <20260622092035.400959-1-borntraeger@linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck@redhat.com> --- target/s390x/kvm/kvm.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index 2e4f435c5371..fdef8f9e8acc 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -1765,6 +1765,15 @@ static void insert_stsi_3_2_2(S390CPU *cpu, __u64 addr, uint8_t ar) } else if (s390_cpu_virt_mem_read(cpu, addr, ar, &sysib, sizeof(sysib))) { return; } + + /* + * The memory was filled by the kernel but mapped into the guest. + * If something is fishy, do not touch the buffer. + */ + if (sysib.count == 0 || sysib.count > ARRAY_SIZE(sysib.ext_names)) { + return; + } + /* Shift the stack of Extended Names to prepare for our own data */ memmove(&sysib.ext_names[1], &sysib.ext_names[0], sizeof(sysib.ext_names[0]) * (sysib.count - 1)); -- 2.54.0 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PULL 0/1] s390x/kvm fix for potential crash 2026-06-29 13:31 [PULL 0/1] s390x/kvm fix for potential crash Cornelia Huck 2026-06-29 13:31 ` [PULL 1/1] s390x/kvm: clamp stsi 3.2.2 size Cornelia Huck @ 2026-06-29 18:29 ` Stefan Hajnoczi 1 sibling, 0 replies; 3+ messages in thread From: Stefan Hajnoczi @ 2026-06-29 18:29 UTC (permalink / raw) To: Cornelia Huck; +Cc: qemu-devel, qemu-s390x, Cornelia Huck [-- Attachment #1: Type: text/plain, Size: 116 bytes --] Applied, thanks. Please update the changelog at https://wiki.qemu.org/ChangeLog/11.1 for any user-visible changes. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 488 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-29 18:30 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-06-29 13:31 [PULL 0/1] s390x/kvm fix for potential crash Cornelia Huck 2026-06-29 13:31 ` [PULL 1/1] s390x/kvm: clamp stsi 3.2.2 size Cornelia Huck 2026-06-29 18:29 ` [PULL 0/1] s390x/kvm fix for potential crash Stefan Hajnoczi
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.