Kernel KVM virtualization development
 help / color / mirror / Atom feed
* [PATCH] RISC-V: KVM: Fix heap overflow in SBI PMU event info handler
@ 2026-07-07 19:27 Naveed Khan
  2026-07-07 19:48 ` sashiko-bot
  0 siblings, 1 reply; 2+ messages in thread
From: Naveed Khan @ 2026-07-07 19:27 UTC (permalink / raw)
  To: kvm

kvm_riscv_vcpu_pmu_event_info() implements the SBI PMU EVENT_GET_INFO
call. It sizes the temporary shared-memory buffer that mirrors the
guest's event-info array with:

	int shmem_size = num_events * sizeof(*einfo);

num_events comes directly from the guest (SBI argument a2) and is only
rejected when it is zero; there is no upper bound. sizeof(*einfo) is 16,
so the multiplication is evaluated as size_t but the result is then
truncated when it is stored into the 32-bit int shmem_size.

A guest can pass, for example, num_events = 0x10000001. The real size is
0x100000010 bytes, but shmem_size truncates to 16. kzalloc() then
allocates room for a single entry while the following loop still runs the
full 64-bit num_events times:

	for (int i = 0; i < num_events; i++) {
		...
		einfo[i].output = (ret > 0) ? 1 : 0;
	}

This is a guest-triggerable heap out-of-bounds read and write that
extends far past the allocation.

Compute the size with size_mul() into a size_t so the value used for the
allocation always matches the loop bound. For an oversized num_events the
multiplication saturates to SIZE_MAX, kzalloc() fails and the call
returns SBI_ERR_FAILURE before the loop runs; well-formed requests behave
exactly as before.

Signed-off-by: Naveed Khan <naveed@digiscrypt.com>
---
diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c
index bb46dcbfb2..ff940fa74b 100644
--- a/arch/riscv/kvm/vcpu_pmu.c
+++ b/arch/riscv/kvm/vcpu_pmu.c
@@ -12,6 +12,7 @@
 #include <linux/err.h>
 #include <linux/kvm_host.h>
 #include <linux/nospec.h>
+#include <linux/overflow.h>
 #include <linux/perf/riscv_pmu.h>
 #include <asm/csr.h>
 #include <asm/kvm_isa.h>
@@ -479,7 +480,7 @@ int kvm_riscv_vcpu_pmu_event_info(struct kvm_vcpu *vcpu, unsigned long saddr_low
 				  unsigned long flags, struct kvm_vcpu_sbi_return *retdata)
 {
 	struct riscv_pmu_event_info *einfo = NULL;
-	int shmem_size = num_events * sizeof(*einfo);
+	size_t shmem_size = size_mul(num_events, sizeof(*einfo));
 	gpa_t shmem;
 	u32 eidx, etype;
 	u64 econfig;
-- 
2.50.1 (Apple Git-155)

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] RISC-V: KVM: Fix heap overflow in SBI PMU event info handler
  2026-07-07 19:27 [PATCH] RISC-V: KVM: Fix heap overflow in SBI PMU event info handler Naveed Khan
@ 2026-07-07 19:48 ` sashiko-bot
  0 siblings, 0 replies; 2+ messages in thread
From: sashiko-bot @ 2026-07-07 19:48 UTC (permalink / raw)
  To: Naveed Khan; +Cc: kvm

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] An unbounded, guest-controlled `num_events` parameter translates into a large memory allocation, triggering a `WARN_ON_ONCE` in the host's page allocator.
--

--- Patch [1]: [PATCH] RISC-V: KVM: Fix heap overflow in SBI PMU event info handler ---
commit 59f34c484dfc616073369a4a2f4ea4eb32bc7ab5
Author: Naveed Khan <naveed@digiscrypt.com>

RISC-V: KVM: Fix heap overflow in SBI PMU event info handler

This commit fixes a heap out-of-bounds read and write by using size_mul()
to calculate the shared memory size, saturating to SIZE_MAX on overflow
so the allocation fails safely.

> diff --git a/arch/riscv/kvm/vcpu_pmu.c b/arch/riscv/kvm/vcpu_pmu.c
> index bb46dcbfb24da..ff940fa74b55d 100644
> --- a/arch/riscv/kvm/vcpu_pmu.c
> +++ b/arch/riscv/kvm/vcpu_pmu.c

[ ... ]

> @@ -479,7 +480,7 @@ int kvm_riscv_vcpu_pmu_event_info(struct kvm_vcpu *vcpu, unsigned long saddr_low
>  				  unsigned long flags, struct kvm_vcpu_sbi_return *retdata)
>  {
>  	struct riscv_pmu_event_info *einfo = NULL;
> -	int shmem_size = num_events * sizeof(*einfo);
> +	size_t shmem_size = size_mul(num_events, sizeof(*einfo));

[Severity: High]
This is a pre-existing issue, but does this allocation still allow a guest
to trigger a host warning?

Because num_events comes directly from the guest without an upper bound, a
malicious guest can provide an extremely large value. While size_mul() now
safely saturates to SIZE_MAX and prevents the loop mismatch, this massive
size is subsequently passed to kzalloc():

arch/riscv/kvm/vcpu_pmu.c:kvm_riscv_vcpu_pmu_event_info() {
    ...
    einfo = kzalloc(shmem_size, GFP_KERNEL);
    ...
}

Since GFP_KERNEL lacks the __GFP_NOWARN flag, passing a size that evaluates
to an order larger than MAX_PAGE_ORDER will trigger a WARN_ON_ONCE in the
host's page allocator.

If panic_on_warn is enabled on the host, this results in a guest-triggerable
host denial of service. Should this allocation include __GFP_NOWARN, or
should num_events be explicitly bounded before the allocation?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/178345245327.72065.13249716450708539854@digiscrypt.com?part=1

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-07 19:48 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-07 19:27 [PATCH] RISC-V: KVM: Fix heap overflow in SBI PMU event info handler Naveed Khan
2026-07-07 19:48 ` sashiko-bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox