From: Dan Carpenter <dan.carpenter@oracle.com>
To: kbuild@lists.01.org, Aaron Lewis <aaronlewis@google.com>,
jmattson@google.com, graf@amazon.com
Cc: lkp@intel.com, kbuild-all@lists.01.org, pshier@google.com,
oupton@google.com, kvm@vger.kernel.org,
Aaron Lewis <aaronlewis@google.com>,
KarimAllah Ahmed <karahmed@amazon.de>
Subject: Re: [PATCH v3 02/12] KVM: x86: Introduce allow list for MSR emulation
Date: Mon, 31 Aug 2020 13:39:33 +0300 [thread overview]
Message-ID: <20200831103933.GF8299@kadam> (raw)
In-Reply-To: <20200818211533.849501-3-aaronlewis@google.com>
[-- Attachment #1: Type: text/plain, Size: 6537 bytes --]
Hi Aaron,
url: https://github.com/0day-ci/linux/commits/Aaron-Lewis/Allow-userspace-to-manage-MSRs/20200819-051903
base: https://git.kernel.org/pub/scm/virt/kvm/kvm.git linux-next
config: x86_64-randconfig-m001-20200827 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
arch/x86/kvm/x86.c:5248 kvm_vm_ioctl_add_msr_allowlist() error: 'bitmap' dereferencing possible ERR_PTR()
# https://github.com/0day-ci/linux/commit/107c87325cf461b7b1bd07bb6ddbaf808a8d8a2a
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Aaron-Lewis/Allow-userspace-to-manage-MSRs/20200819-051903
git checkout 107c87325cf461b7b1bd07bb6ddbaf808a8d8a2a
vim +/bitmap +5248 arch/x86/kvm/x86.c
107c87325cf461 Aaron Lewis 2020-08-18 5181 static int kvm_vm_ioctl_add_msr_allowlist(struct kvm *kvm, void __user *argp)
107c87325cf461 Aaron Lewis 2020-08-18 5182 {
107c87325cf461 Aaron Lewis 2020-08-18 5183 struct msr_bitmap_range *ranges = kvm->arch.msr_allowlist_ranges;
107c87325cf461 Aaron Lewis 2020-08-18 5184 struct kvm_msr_allowlist __user *user_msr_allowlist = argp;
107c87325cf461 Aaron Lewis 2020-08-18 5185 struct msr_bitmap_range range;
107c87325cf461 Aaron Lewis 2020-08-18 5186 struct kvm_msr_allowlist kernel_msr_allowlist;
107c87325cf461 Aaron Lewis 2020-08-18 5187 unsigned long *bitmap = NULL;
107c87325cf461 Aaron Lewis 2020-08-18 5188 size_t bitmap_size;
107c87325cf461 Aaron Lewis 2020-08-18 5189 int r = 0;
107c87325cf461 Aaron Lewis 2020-08-18 5190
107c87325cf461 Aaron Lewis 2020-08-18 5191 if (copy_from_user(&kernel_msr_allowlist, user_msr_allowlist,
107c87325cf461 Aaron Lewis 2020-08-18 5192 sizeof(kernel_msr_allowlist))) {
107c87325cf461 Aaron Lewis 2020-08-18 5193 r = -EFAULT;
107c87325cf461 Aaron Lewis 2020-08-18 5194 goto out;
107c87325cf461 Aaron Lewis 2020-08-18 5195 }
107c87325cf461 Aaron Lewis 2020-08-18 5196
107c87325cf461 Aaron Lewis 2020-08-18 5197 bitmap_size = BITS_TO_LONGS(kernel_msr_allowlist.nmsrs) * sizeof(long);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^n
On 32 bit systems the BITS_TO_LONGS() can integer overflow if
kernel_msr_allowlist.nmsrs is larger than ULONG_MAX - bits_per_long. In
that case bitmap_size is zero.
107c87325cf461 Aaron Lewis 2020-08-18 5198 if (bitmap_size > KVM_MSR_ALLOWLIST_MAX_LEN) {
107c87325cf461 Aaron Lewis 2020-08-18 5199 r = -EINVAL;
107c87325cf461 Aaron Lewis 2020-08-18 5200 goto out;
107c87325cf461 Aaron Lewis 2020-08-18 5201 }
107c87325cf461 Aaron Lewis 2020-08-18 5202
107c87325cf461 Aaron Lewis 2020-08-18 5203 bitmap = memdup_user(user_msr_allowlist->bitmap, bitmap_size);
107c87325cf461 Aaron Lewis 2020-08-18 5204 if (IS_ERR(bitmap)) {
107c87325cf461 Aaron Lewis 2020-08-18 5205 r = PTR_ERR(bitmap);
107c87325cf461 Aaron Lewis 2020-08-18 5206 goto out;
^^^^^^^^
"out" is always a vague label name. It's better style to return
directly instead of doing a complicated no-op.
if (IS_ERR(bitmap))
return PTR_ERR(bitmap);
107c87325cf461 Aaron Lewis 2020-08-18 5207 }
107c87325cf461 Aaron Lewis 2020-08-18 5208
107c87325cf461 Aaron Lewis 2020-08-18 5209 range = (struct msr_bitmap_range) {
107c87325cf461 Aaron Lewis 2020-08-18 5210 .flags = kernel_msr_allowlist.flags,
107c87325cf461 Aaron Lewis 2020-08-18 5211 .base = kernel_msr_allowlist.base,
107c87325cf461 Aaron Lewis 2020-08-18 5212 .nmsrs = kernel_msr_allowlist.nmsrs,
107c87325cf461 Aaron Lewis 2020-08-18 5213 .bitmap = bitmap,
In case of overflow then "bitmap" is 0x16 and .nmsrs is a very high
number.
107c87325cf461 Aaron Lewis 2020-08-18 5214 };
107c87325cf461 Aaron Lewis 2020-08-18 5215
107c87325cf461 Aaron Lewis 2020-08-18 5216 if (range.flags & ~(KVM_MSR_ALLOW_READ | KVM_MSR_ALLOW_WRITE)) {
107c87325cf461 Aaron Lewis 2020-08-18 5217 r = -EINVAL;
107c87325cf461 Aaron Lewis 2020-08-18 5218 goto out;
107c87325cf461 Aaron Lewis 2020-08-18 5219 }
107c87325cf461 Aaron Lewis 2020-08-18 5220
107c87325cf461 Aaron Lewis 2020-08-18 5221 /*
107c87325cf461 Aaron Lewis 2020-08-18 5222 * Protect from concurrent calls to this function that could trigger
107c87325cf461 Aaron Lewis 2020-08-18 5223 * a TOCTOU violation on kvm->arch.msr_allowlist_ranges_count.
107c87325cf461 Aaron Lewis 2020-08-18 5224 */
107c87325cf461 Aaron Lewis 2020-08-18 5225 mutex_lock(&kvm->lock);
107c87325cf461 Aaron Lewis 2020-08-18 5226
107c87325cf461 Aaron Lewis 2020-08-18 5227 if (kvm->arch.msr_allowlist_ranges_count >=
107c87325cf461 Aaron Lewis 2020-08-18 5228 ARRAY_SIZE(kvm->arch.msr_allowlist_ranges)) {
107c87325cf461 Aaron Lewis 2020-08-18 5229 r = -E2BIG;
107c87325cf461 Aaron Lewis 2020-08-18 5230 goto out_locked;
107c87325cf461 Aaron Lewis 2020-08-18 5231 }
107c87325cf461 Aaron Lewis 2020-08-18 5232
107c87325cf461 Aaron Lewis 2020-08-18 5233 if (msr_range_overlaps(kvm, &range)) {
107c87325cf461 Aaron Lewis 2020-08-18 5234 r = -EINVAL;
107c87325cf461 Aaron Lewis 2020-08-18 5235 goto out_locked;
107c87325cf461 Aaron Lewis 2020-08-18 5236 }
107c87325cf461 Aaron Lewis 2020-08-18 5237
107c87325cf461 Aaron Lewis 2020-08-18 5238 /* Everything ok, add this range identifier to our global pool */
107c87325cf461 Aaron Lewis 2020-08-18 5239 ranges[kvm->arch.msr_allowlist_ranges_count] = range;
107c87325cf461 Aaron Lewis 2020-08-18 5240 /* Make sure we filled the array before we tell anyone to walk it */
107c87325cf461 Aaron Lewis 2020-08-18 5241 smp_wmb();
107c87325cf461 Aaron Lewis 2020-08-18 5242 kvm->arch.msr_allowlist_ranges_count++;
107c87325cf461 Aaron Lewis 2020-08-18 5243
107c87325cf461 Aaron Lewis 2020-08-18 5244 out_locked:
107c87325cf461 Aaron Lewis 2020-08-18 5245 mutex_unlock(&kvm->lock);
107c87325cf461 Aaron Lewis 2020-08-18 5246 out:
107c87325cf461 Aaron Lewis 2020-08-18 5247 if (r)
107c87325cf461 Aaron Lewis 2020-08-18 @5248 kfree(bitmap);
107c87325cf461 Aaron Lewis 2020-08-18 5249
107c87325cf461 Aaron Lewis 2020-08-18 5250 return r;
107c87325cf461 Aaron Lewis 2020-08-18 5251 }
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 43464 bytes --]
next prev parent reply other threads:[~2020-08-31 10:40 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-18 21:15 [PATCH v3 00/12] Allow userspace to manage MSRs Aaron Lewis
2020-08-18 21:15 ` [PATCH v3 01/12] KVM: x86: Deflect unknown MSR accesses to user space Aaron Lewis
2020-08-19 8:42 ` Alexander Graf
2020-08-18 21:15 ` [PATCH v3 02/12] KVM: x86: Introduce allow list for MSR emulation Aaron Lewis
2020-08-19 8:53 ` Alexander Graf
2020-08-31 10:39 ` Dan Carpenter [this message]
2020-09-01 19:13 ` Alexander Graf
2020-09-02 7:31 ` Dan Carpenter
2020-08-18 21:15 ` [PATCH v3 03/12] KVM: selftests: Add test for user space MSR handling Aaron Lewis
2020-08-18 21:15 ` [PATCH v3 04/12] KVM: x86: Add ioctl for accepting a userspace provided MSR list Aaron Lewis
2020-08-19 9:00 ` Alexander Graf
2020-08-20 17:30 ` Jim Mattson
2020-08-20 21:49 ` Alexander Graf
2020-08-20 22:28 ` Jim Mattson
2020-08-18 21:15 ` [PATCH v3 05/12] KVM: x86: Add support for exiting to userspace on rdmsr or wrmsr Aaron Lewis
2020-08-19 10:25 ` Alexander Graf
2020-08-20 18:17 ` Jim Mattson
2020-08-20 21:59 ` Alexander Graf
2020-08-20 22:55 ` Jim Mattson
2020-08-21 17:58 ` Jim Mattson
2020-08-24 1:35 ` Alexander Graf
2020-08-24 17:23 ` Jim Mattson
2020-08-24 18:09 ` Alexander Graf
2020-08-24 18:34 ` Jim Mattson
2020-08-18 21:15 ` [PATCH v3 06/12] KVM: x86: Prepare MSR bitmaps for userspace tracked MSRs Aaron Lewis
2020-08-18 21:15 ` [PATCH v3 07/12] KVM: x86: Ensure the MSR bitmap never clears " Aaron Lewis
2020-08-19 1:12 ` kernel test robot
2020-08-19 1:12 ` [RFC PATCH] KVM: x86: vmx_set_user_msr_intercept() can be static kernel test robot
2020-08-19 15:26 ` [PATCH v3 07/12] KVM: x86: Ensure the MSR bitmap never clears userspace tracked MSRs Alexander Graf
2020-08-20 0:18 ` Aaron Lewis
2020-08-20 22:04 ` Alexander Graf
2020-08-20 22:35 ` Jim Mattson
2020-08-21 14:27 ` Aaron Lewis
2020-08-21 16:07 ` Alexander Graf
2020-08-21 16:43 ` Aaron Lewis
2020-08-26 15:48 ` kernel test robot
2020-08-18 21:15 ` [PATCH v3 08/12] selftests: kvm: Fix the segment descriptor layout to match the actual layout Aaron Lewis
2020-08-18 21:15 ` [PATCH v3 09/12] selftests: kvm: Clear uc so UCALL_NONE is being properly reported Aaron Lewis
2020-08-19 9:13 ` Andrew Jones
2020-08-18 21:15 ` [PATCH v3 10/12] selftests: kvm: Add exception handling to selftests Aaron Lewis
2020-08-18 21:15 ` [PATCH v3 11/12] selftests: kvm: Add a test to exercise the userspace MSR list Aaron Lewis
2020-08-18 21:15 ` [PATCH v3 12/12] selftests: kvm: Add emulated rdmsr, wrmsr tests Aaron Lewis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200831103933.GF8299@kadam \
--to=dan.carpenter@oracle.com \
--cc=aaronlewis@google.com \
--cc=graf@amazon.com \
--cc=jmattson@google.com \
--cc=karahmed@amazon.de \
--cc=kbuild-all@lists.01.org \
--cc=kbuild@lists.01.org \
--cc=kvm@vger.kernel.org \
--cc=lkp@intel.com \
--cc=oupton@google.com \
--cc=pshier@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox