[GIT PULL 0/1] KVM: s390: Fix for 4.10 (via kvm/master)

public inbox for kvm@vger.kernel.org
 help / color / mirror / Atom feed

* [GIT PULL 0/1] KVM: s390: Fix for 4.10 (via kvm/master)
@ 2017-01-20 15:04 Christian Borntraeger
  2017-01-20 15:04 ` [GIT PULL 1/1] KVM: s390: do not expose random data via facility bitmap Christian Borntraeger
  2017-01-20 17:25 ` [GIT PULL 0/1] KVM: s390: Fix for 4.10 (via kvm/master) Radim Krčmář
  0 siblings, 2 replies; 3+ messages in thread
From: Christian Borntraeger @ 2017-01-20 15:04 UTC (permalink / raw)
  To: Paolo Bonzini, Radim Krčmář
  Cc: KVM, Christian Borntraeger, Cornelia Huck, Jens Freimann,
	linux-s390

Paolo, Radim,

a fix for 4.10 (and stable).

The following changes since commit a121103c922847ba5010819a3f250f1f7fc84ab8:

  Linux 4.10-rc3 (2017-01-08 14:18:17 -0800)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux.git  tags/kvm-s390-master-4.10-1

for you to fetch changes up to 04478197416e3a302e9ebc917ba1aa884ef9bfab:

  KVM: s390: do not expose random data via facility bitmap (2017-01-20 15:29:34 +0100)

----------------------------------------------------------------
KVM: s390: Fix for 4.10 (via kvm/master)

Fix a kernel memory exposure.

----------------------------------------------------------------
Christian Borntraeger (1):
      KVM: s390: do not expose random data via facility bitmap

 arch/s390/kvm/kvm-s390.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [GIT PULL 1/1] KVM: s390: do not expose random data via facility bitmap
  2017-01-20 15:04 [GIT PULL 0/1] KVM: s390: Fix for 4.10 (via kvm/master) Christian Borntraeger
@ 2017-01-20 15:04 ` Christian Borntraeger
  2017-01-20 17:25 ` [GIT PULL 0/1] KVM: s390: Fix for 4.10 (via kvm/master) Radim Krčmář
  1 sibling, 0 replies; 3+ messages in thread
From: Christian Borntraeger @ 2017-01-20 15:04 UTC (permalink / raw)
  To: Paolo Bonzini, Radim Krčmář
  Cc: KVM, Christian Borntraeger, Cornelia Huck, Jens Freimann,
	linux-s390, stable

kvm_s390_get_machine() populates the facility bitmap by copying bytes
from the host results that are stored in a 256 byte array in the prefix
page. The KVM code does use the size of the target buffer (2k), thus
copying and exposing unrelated kernel memory (mostly machine check
related logout data).

Let's use the size of the source buffer instead.  This is ok, as the
target buffer will always be greater or equal than the source buffer as
the KVM internal buffers (and thus S390_ARCH_FAC_LIST_SIZE_BYTE) cover
the maximum possible size that is allowed by STFLE, which is 256
doublewords. All structures are zero allocated so we can leave bytes
256-2047 unchanged.

Add a similar fix for kvm_arch_init_vm().

Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
[found with smatch]
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
CC: stable@vger.kernel.org
Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
---
 arch/s390/kvm/kvm-s390.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index bec71e9..6484a25 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -916,7 +916,7 @@ static int kvm_s390_get_machine(struct kvm *kvm, struct kvm_device_attr *attr)
 	memcpy(&mach->fac_mask, kvm->arch.model.fac_mask,
 	       S390_ARCH_FAC_LIST_SIZE_BYTE);
 	memcpy((unsigned long *)&mach->fac_list, S390_lowcore.stfle_fac_list,
-	       S390_ARCH_FAC_LIST_SIZE_BYTE);
+	       sizeof(S390_lowcore.stfle_fac_list));
 	if (copy_to_user((void __user *)attr->addr, mach, sizeof(*mach)))
 		ret = -EFAULT;
 	kfree(mach);
@@ -1437,7 +1437,7 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)
 
 	/* Populate the facility mask initially. */
 	memcpy(kvm->arch.model.fac_mask, S390_lowcore.stfle_fac_list,
-	       S390_ARCH_FAC_LIST_SIZE_BYTE);
+	       sizeof(S390_lowcore.stfle_fac_list));
 	for (i = 0; i < S390_ARCH_FAC_LIST_SIZE_U64; i++) {
 		if (i < kvm_s390_fac_list_mask_size())
 			kvm->arch.model.fac_mask[i] &= kvm_s390_fac_list_mask[i];
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [GIT PULL 0/1] KVM: s390: Fix for 4.10 (via kvm/master)
  2017-01-20 15:04 [GIT PULL 0/1] KVM: s390: Fix for 4.10 (via kvm/master) Christian Borntraeger
  2017-01-20 15:04 ` [GIT PULL 1/1] KVM: s390: do not expose random data via facility bitmap Christian Borntraeger
@ 2017-01-20 17:25 ` Radim Krčmář
  1 sibling, 0 replies; 3+ messages in thread
From: Radim Krčmář @ 2017-01-20 17:25 UTC (permalink / raw)
  To: Christian Borntraeger
  Cc: Paolo Bonzini, KVM, Cornelia Huck, Jens Freimann, linux-s390

2017-01-20 16:04+0100, Christian Borntraeger:
> Paolo, Radim,
> 
> a fix for 4.10 (and stable).

Pulled, thanks.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2017-01-20 17:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-20 15:04 [GIT PULL 0/1] KVM: s390: Fix for 4.10 (via kvm/master) Christian Borntraeger
2017-01-20 15:04 ` [GIT PULL 1/1] KVM: s390: do not expose random data via facility bitmap Christian Borntraeger
2017-01-20 17:25 ` [GIT PULL 0/1] KVM: s390: Fix for 4.10 (via kvm/master) Radim Krčmář

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox