From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1MMSWj-0003ad-7V
	for qemu-devel@nongnu.org; Thu, 02 Jul 2009 16:05:01 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1MMSWe-0003a6-P7
	for qemu-devel@nongnu.org; Thu, 02 Jul 2009 16:05:00 -0400
Received: from [199.232.76.173] (port=60624 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1MMSWe-0003a3-Mm
	for qemu-devel@nongnu.org; Thu, 02 Jul 2009 16:04:56 -0400
Received: from fmmailgate01.web.de ([217.72.192.221]:37003)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <jan.kiszka@web.de>) id 1MMSWe-0003GZ-0M
	for qemu-devel@nongnu.org; Thu, 02 Jul 2009 16:04:56 -0400
Message-ID: <4A4D12E0.9070909@web.de>
Date: Thu, 02 Jul 2009 22:04:48 +0200
From: Jan Kiszka <jan.kiszka@web.de>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig837832258430BC6F852EF274"
Sender: jan.kiszka@web.de
Subject: [Qemu-devel] [PATCH] kvm: Work around borken MSR_GET_INDEX_LIST
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony Liguori <aliguori@us.ibm.com>
Cc: qemu-devel <qemu-devel@nongnu.org>, Avi Kivity <avi@redhat.com>

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig837832258430BC6F852EF274
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

Allocate enough memory for KVM_GET_MSR_INDEX_LIST as older kernels shot
far beyond their limits, corrupting user space memory.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

 target-i386/kvm.c |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 4a3f598..cab9fcc 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -239,8 +239,11 @@ static int kvm_has_msr_star(CPUState *env)
         if (ret < 0)
             return 0;
=20
-        kvm_msr_list =3D qemu_mallocz(sizeof(msr_list) +
-                                    msr_list.nmsrs * sizeof(msr_list.ind=
ices[0]));
+        /* Old kernel modules had a bug and could write beyond the provi=
ded
+           memory. Allocate at least a safe amount of 1K. */
+        kvm_msr_list =3D qemu_mallocz(MAX(1024, sizeof(msr_list) +
+                                              msr_list.nmsrs *
+                                              sizeof(msr_list.indices[0]=
)));
=20
         kvm_msr_list->nmsrs =3D msr_list.nmsrs;
         ret =3D kvm_ioctl(env->kvm_state, KVM_GET_MSR_INDEX_LIST, kvm_ms=
r_list);


--------------enig837832258430BC6F852EF274
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iEYEARECAAYFAkpNEuQACgkQniDOoMHTA+nmJACeIN9MNA5fWqVXoCFOBMp6y9r9
i/QAn1s9277nlG6JTjZWjmoCADnFTvD2
=a2mC
-----END PGP SIGNATURE-----

--------------enig837832258430BC6F852EF274--