From mboxrd@z Thu Jan  1 00:00:00 1970
From: Roel Kluin <roel.kluin@gmail.com>
Subject: [PATCH] KVM: prevent read from desc->shadow_ptes[-1] in rmap_desc_remove_entry()
Date: Sat, 29 Aug 2009 14:13:24 +0200
Message-ID: <4A991B64.3050903@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
To: Avi Kivity <avi@redhat.com>, kvm@vger.kernel.org,
	Andrew Morton <akpm@linux-foundation.org>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-ew0-f206.google.com ([209.85.219.206]:57833 "EHLO
	mail-ew0-f206.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752312AbZH2MH5 (ORCPT <rfc822;kvm@vger.kernel.org>);
	Sat, 29 Aug 2009 08:07:57 -0400
Received: by ewy2 with SMTP id 2so2808303ewy.17
        for <kvm@vger.kernel.org>; Sat, 29 Aug 2009 05:07:58 -0700 (PDT)
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

prevent read from desc->shadow_ptes[-1]

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
If in rmap_remove() (bottom) we do:

while (desc) {
        for (i = 0; i < RMAP_EXT && desc->shadow_ptes[i]; ++i)
                if (desc->shadow_ptes[i] == spte) {
                        rmap_desc_remove_entry(rmapp,
                                               desc, i,
                                               prev_desc);
                        return;
                }
        prev_desc = desc;
        desc = desc->more;
}

If in the first iteration esc->shadow_ptes[0] == spte, then we
call rmap_desc_remove_entry() with i == 0, and then we read in
the last iteration from desc->shadow_ptes[-1].

I found this by code analysis.

diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 0ef5bb2..e1b2e46 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -541,7 +541,7 @@ static void rmap_desc_remove_entry(unsigned long *rmapp,
 {
 	int j;
 
-	for (j = RMAP_EXT - 1; !desc->shadow_ptes[j] && j > i; --j)
+	for (j = RMAP_EXT - 1; j > i && !desc->shadow_ptes[j]; --j)
 		;
 	desc->shadow_ptes[i] = desc->shadow_ptes[j];
 	desc->shadow_ptes[j] = NULL;