[bug report] kvm: x86: Add support for getting/setting expanded xstate buffer

public inbox for kvm@vger.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: guang.zeng@intel.com
Cc: kvm@vger.kernel.org
Subject: [bug report] kvm: x86: Add support for getting/setting expanded xstate buffer
Date: Tue, 11 Jan 2022 08:51:17 +0300	[thread overview]
Message-ID: <20220111055117.GA3117@kili> (raw)

Hello Guang Zeng,

The patch 16786d406fe8: "kvm: x86: Add support for getting/setting
expanded xstate buffer" from Jan 5, 2022, leads to the following
Smatch static checker warning:

	arch/x86/kvm/x86.c:5411 kvm_arch_vcpu_ioctl()
	warn: is memdup() '0-s32max' large enough for 'struct kvm_xsave'

arch/x86/kvm/x86.c
    5390         case KVM_GET_XSAVE: {
    5391                 r = -EINVAL;
    5392                 if (vcpu->arch.guest_fpu.uabi_size > sizeof(struct kvm_xsave))
    5393                         break;
    5394 
    5395                 u.xsave = kzalloc(sizeof(struct kvm_xsave), GFP_KERNEL_ACCOUNT);
    5396                 r = -ENOMEM;
    5397                 if (!u.xsave)
    5398                         break;
    5399 
    5400                 kvm_vcpu_ioctl_x86_get_xsave(vcpu, u.xsave);
    5401 
    5402                 r = -EFAULT;
    5403                 if (copy_to_user(argp, u.xsave, sizeof(struct kvm_xsave)))
    5404                         break;
    5405                 r = 0;
    5406                 break;
    5407         }
    5408         case KVM_SET_XSAVE: {
    5409                 int size = vcpu->arch.guest_fpu.uabi_size;
    5410 

There is no check whether size >= sizeof(struct kvm_xsave).

--> 5411                 u.xsave = memdup_user(argp, size);
    5412                 if (IS_ERR(u.xsave)) {
    5413                         r = PTR_ERR(u.xsave);
    5414                         goto out_nofree;
    5415                 }
    5416 
    5417                 r = kvm_vcpu_ioctl_x86_set_xsave(vcpu, u.xsave);

So this can read out of bounds.

    5418                 break;
    5419         }
    5420 
    5421         case KVM_GET_XSAVE2: {
    5422                 int size = vcpu->arch.guest_fpu.uabi_size;
    5423 
    5424                 u.xsave = kzalloc(size, GFP_KERNEL_ACCOUNT);
    5425                 r = -ENOMEM;
    5426                 if (!u.xsave)
    5427                         break;
    5428 
    5429                 kvm_vcpu_ioctl_x86_get_xsave2(vcpu, u.buffer, size);
    5430 
    5431                 r = -EFAULT;
    5432                 if (copy_to_user(argp, u.xsave, size))
    5433                         break;
    5434 
    5435                 r = 0;
    5436                 break;
    5437         }
    5438 

regards,
dan carpenter

                 reply	other threads:[~2022-01-11  5:51 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220111055117.GA3117@kili \
    --to=dan.carpenter@oracle.com \
    --cc=guang.zeng@intel.com \
    --cc=kvm@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox