All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sean Christopherson <seanjc@google.com>
To: Mathias Krause <minipli@grsecurity.net>
Cc: Paolo Bonzini <pbonzini@redhat.com>, kvm@vger.kernel.org
Subject: Re: [PATCH v2 3/4] KVM: Limit check IDs for KVM_SET_BOOT_CPU_ID
Date: Fri, 14 Jun 2024 09:35:50 -0700	[thread overview]
Message-ID: <ZmxxZo0Y-UBb9Ztq@google.com> (raw)
In-Reply-To: <20240612215415.3450952-4-minipli@grsecurity.net>

On Wed, Jun 12, 2024, Mathias Krause wrote:
> Do not accept IDs which are definitely invalid by limit checking the
> passed value against KVM_MAX_VCPU_IDS.
> 
> This ensures invalid values, especially on 64-bit systems, don't go
> unnoticed and lead to a valid id by chance when truncated by the final
> assignment.
> 
> Fixes: 73880c80aa9c ("KVM: Break dependency between vcpu index in vcpus array and vcpu_id.")
> Signed-off-by: Mathias Krause <minipli@grsecurity.net>
> ---
>  arch/x86/kvm/x86.c | 12 +++++++++---
>  1 file changed, 9 insertions(+), 3 deletions(-)
> 
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 082ac6d95a3a..8bc7b8b2dfc5 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -7220,10 +7220,16 @@ int kvm_arch_vm_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg)
>  	case KVM_SET_BOOT_CPU_ID:
>  		r = 0;
>  		mutex_lock(&kvm->lock);
> -		if (kvm->created_vcpus)
> +		if (kvm->created_vcpus) {
>  			r = -EBUSY;
> -		else
> -			kvm->arch.bsp_vcpu_id = arg;
> +			goto set_boot_cpu_id_out;
> +		}
> +		if (arg > KVM_MAX_VCPU_IDS) {
> +			r = -EINVAL;
> +			goto set_boot_cpu_id_out;
> +		}
> +		kvm->arch.bsp_vcpu_id = arg;
> +set_boot_cpu_id_out:

Any reason not to check kvm->arch.max_vcpu_ids?  It's not super pretty, but it's
also not super hard.

And rather than use gotos, this can be done with if-elif-else, e.g. with the
below delta get to:

		r = 0;
		mutex_lock(&kvm->lock);
		if (kvm->created_vcpus)
			r = -EBUSY;
		else if (arg > KVM_MAX_VCPU_IDS ||
			 (kvm->arch.max_vcpu_ids && arg > kvm->arch.max_vcpu_ids))
			r = -EINVAL;
		else
			kvm->arch.bsp_vcpu_id = arg;
		mutex_unlock(&kvm->lock);
		break;


diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 6e6f3d31cff0..994aa281b07d 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6707,7 +6707,9 @@ int kvm_vm_ioctl_enable_cap(struct kvm *kvm,
                        break;
 
                mutex_lock(&kvm->lock);
-               if (kvm->arch.max_vcpu_ids == cap->args[0]) {
+               if (kvm->arch.bsp_vcpu_id > cap->args[0]) {
+                       ;
+               } else if (kvm->arch.max_vcpu_ids == cap->args[0]) {
                        r = 0;
                } else if (!kvm->arch.max_vcpu_ids) {
                        kvm->arch.max_vcpu_ids = cap->args[0];
@@ -7226,16 +7228,13 @@ int kvm_arch_vm_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg)
        case KVM_SET_BOOT_CPU_ID:
                r = 0;
                mutex_lock(&kvm->lock);
-               if (kvm->created_vcpus) {
+               if (kvm->created_vcpus)
                        r = -EBUSY;
-                       goto set_boot_cpu_id_out;
-               }
-               if (arg > KVM_MAX_VCPU_IDS) {
+               else if (arg > KVM_MAX_VCPU_IDS ||
+                        (kvm->arch.max_vcpu_ids && arg > kvm->arch.max_vcpu_ids))
                        r = -EINVAL;
-                       goto set_boot_cpu_id_out;
-               }
-               kvm->arch.bsp_vcpu_id = arg;
-set_boot_cpu_id_out:
+               else
+                       kvm->arch.bsp_vcpu_id = arg;
                mutex_unlock(&kvm->lock);
                break;
 #ifdef CONFIG_KVM_XEN

  reply	other threads:[~2024-06-14 16:35 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-12 21:54 [PATCH v2 0/4] KVM: Reject vCPU IDs above 2^32 Mathias Krause
2024-06-12 21:54 ` [PATCH v2 1/4] KVM: Reject overly excessive IDs in KVM_CREATE_VCPU Mathias Krause
2024-06-12 21:54 ` [PATCH v2 2/4] KVM: selftests: Test vCPU IDs above 2^32 Mathias Krause
2024-06-12 21:54 ` [PATCH v2 3/4] KVM: Limit check IDs for KVM_SET_BOOT_CPU_ID Mathias Krause
2024-06-14 16:35   ` Sean Christopherson [this message]
2024-06-14 18:53     ` Mathias Krause
2024-06-14 20:36       ` Sean Christopherson
2024-06-17  7:16         ` Mathias Krause
2024-06-12 21:54 ` [PATCH v2 4/4] KVM: selftests: Test vCPU boot IDs above 2^32 Mathias Krause

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZmxxZo0Y-UBb9Ztq@google.com \
    --to=seanjc@google.com \
    --cc=kvm@vger.kernel.org \
    --cc=minipli@grsecurity.net \
    --cc=pbonzini@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.