[PATCH] s390x/kvm: clamp stsi 3.2.2 size

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] s390x/kvm: clamp stsi 3.2.2 size
@ 2026-06-22  9:20 Christian Borntraeger
  2026-06-22 15:50 ` Eric Farman
  2026-06-26 12:32 ` Cornelia Huck
  0 siblings, 2 replies; 3+ messages in thread
From: Christian Borntraeger @ 2026-06-22  9:20 UTC (permalink / raw)
  To: qemu-devel, Cornelia Huck
  Cc: qemu-s390x, Halil Pasic, Matthew Rosato, Eric Farman,
	Christian Borntraeger, qemu-stable

The stsi 3.2.2 page is being prepared by the kvm module and the size is
clamped by the kernel. As the memory is mapped in the guest, another
guest VCPU could race and overwrite the count and messing up the move
operation. For any out of bound count, fall back to the kernel buffer.

Cc: qemu-stable@nongnu.org
Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
---
 target/s390x/kvm/kvm.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c
index ed8cd6b410..a3835573bb 100644
--- a/target/s390x/kvm/kvm.c
+++ b/target/s390x/kvm/kvm.c
@@ -1791,6 +1791,15 @@ static void insert_stsi_3_2_2(S390CPU *cpu, __u64 addr, uint8_t ar)
     } else if (s390_cpu_virt_mem_read(cpu, addr, ar, &sysib, sizeof(sysib))) {
         return;
     }
+
+    /*
+     * The memory was filled by the kernel but mapped into the guest.
+     * If something is fishy, do not touch the buffer.
+     */
+    if (sysib.count == 0 || sysib.count > ARRAY_SIZE(sysib.ext_names)) {
+        return;
+    }
+
     /* Shift the stack of Extended Names to prepare for our own data */
     memmove(&sysib.ext_names[1], &sysib.ext_names[0],
             sizeof(sysib.ext_names[0]) * (sysib.count - 1));
-- 
2.53.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] s390x/kvm: clamp stsi 3.2.2 size
  2026-06-22  9:20 [PATCH] s390x/kvm: clamp stsi 3.2.2 size Christian Borntraeger
@ 2026-06-22 15:50 ` Eric Farman
  2026-06-26 12:32 ` Cornelia Huck
  1 sibling, 0 replies; 3+ messages in thread
From: Eric Farman @ 2026-06-22 15:50 UTC (permalink / raw)
  To: Christian Borntraeger, qemu-devel, Cornelia Huck
  Cc: qemu-s390x, Halil Pasic, Matthew Rosato, qemu-stable

On Mon, 2026-06-22 at 11:20 +0200, Christian Borntraeger wrote:
> The stsi 3.2.2 page is being prepared by the kvm module and the size is
> clamped by the kernel. As the memory is mapped in the guest, another
> guest VCPU could race and overwrite the count and messing up the move
> operation. For any out of bound count, fall back to the kernel buffer.
> 
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
> ---
>  target/s390x/kvm/kvm.c | 9 +++++++++
>  1 file changed, 9 insertions(+)

Looks right to me.

Reviewed-by: Eric Farman <farman@linux.ibm.com>

> 
> diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c
> index ed8cd6b410..a3835573bb 100644
> --- a/target/s390x/kvm/kvm.c
> +++ b/target/s390x/kvm/kvm.c
> @@ -1791,6 +1791,15 @@ static void insert_stsi_3_2_2(S390CPU *cpu, __u64 addr, uint8_t ar)
>      } else if (s390_cpu_virt_mem_read(cpu, addr, ar, &sysib, sizeof(sysib))) {
>          return;
>      }
> +
> +    /*
> +     * The memory was filled by the kernel but mapped into the guest.
> +     * If something is fishy, do not touch the buffer.
> +     */
> +    if (sysib.count == 0 || sysib.count > ARRAY_SIZE(sysib.ext_names)) {
> +        return;
> +    }
> +
>      /* Shift the stack of Extended Names to prepare for our own data */
>      memmove(&sysib.ext_names[1], &sysib.ext_names[0],
>              sizeof(sysib.ext_names[0]) * (sysib.count - 1));


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] s390x/kvm: clamp stsi 3.2.2 size
  2026-06-22  9:20 [PATCH] s390x/kvm: clamp stsi 3.2.2 size Christian Borntraeger
  2026-06-22 15:50 ` Eric Farman
@ 2026-06-26 12:32 ` Cornelia Huck
  1 sibling, 0 replies; 3+ messages in thread
From: Cornelia Huck @ 2026-06-26 12:32 UTC (permalink / raw)
  To: Christian Borntraeger, qemu-devel
  Cc: qemu-s390x, Halil Pasic, Matthew Rosato, Eric Farman,
	Christian Borntraeger, qemu-stable

On Mon, Jun 22 2026, Christian Borntraeger <borntraeger@linux.ibm.com> wrote:

> The stsi 3.2.2 page is being prepared by the kvm module and the size is
> clamped by the kernel. As the memory is mapped in the guest, another
> guest VCPU could race and overwrite the count and messing up the move
> operation. For any out of bound count, fall back to the kernel buffer.
>
> Cc: qemu-stable@nongnu.org
> Signed-off-by: Christian Borntraeger <borntraeger@linux.ibm.com>
> ---
>  target/s390x/kvm/kvm.c | 9 +++++++++
>  1 file changed, 9 insertions(+)

Thanks, applied.



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-26 12:33 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-22  9:20 [PATCH] s390x/kvm: clamp stsi 3.2.2 size Christian Borntraeger
2026-06-22 15:50 ` Eric Farman
2026-06-26 12:32 ` Cornelia Huck

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.