public inbox for kvm@vger.kernel.org
 help / color / mirror / Atom feed
From: bugzilla-daemon@bugzilla.kernel.org
To: kvm@vger.kernel.org
Subject: [Bug 207315] New: Out of bounds access in search_memslots() in include/linux/kvm_host.h
Date: Fri, 17 Apr 2020 03:21:48 +0000	[thread overview]
Message-ID: <bug-207315-28872@https.bugzilla.kernel.org/> (raw)

https://bugzilla.kernel.org/show_bug.cgi?id=207315

            Bug ID: 207315
           Summary: Out of bounds access in search_memslots() in
                    include/linux/kvm_host.h
           Product: Virtualization
           Version: unspecified
    Kernel Version: 5.7-rc1
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: kvm
          Assignee: virtualization_kvm@kernel-bugs.osdl.org
          Reporter: sunhaoyl@outlook.com
        Regression: No

Created attachment 288543
  --> https://bugzilla.kernel.org/attachment.cgi?id=288543&action=edit
kernel config

Description of problem:
Possible out of bounds access exists in search_memslots() in
include/linux/kvm_host.h.
In search_memslots(struct kvm_memslots *slots, gfn_t gfn),  a binary search is
used  for slot searching,  as following code shows:

        while (start < end) {
                slot = start + (end - start) / 2;

                if (gfn >= memslots[slot].base_gfn)
                        end = slot;
                else
                        start = slot + 1;
        }

        if (gfn >= memslots[start].base_gfn &&
            gfn < memslots[start].base_gfn + memslots[start].npages) {
                atomic_set(&slots->lru_slot, start);
                return &memslots[start];
        }

However, *start* may equal to *slots->used_slots*  when *gfn* is smaller than
every *base_gfn*, which causes out of bound access in if-condition. 


Version-Release number of selected component (if applicable):
linux-v5.7-rc1

How reproducible:
Easy.

Steps to Reproduce:
1.  Compile kernel with config in the attachment.
2.  Compile and run following code

#include <stdint.h>
#include <unistd.h>
#include <linux/kvm.h>
#include <asm/kvm.h>
#include <sys/ioctl.h>
#include <fcntl.h>

int main(int argc, char **agrv){

        struct kvm_userspace_memory_region kvm_userspace_memory_region_0 = {
                .slot = 4098152658,
                .flags = 1653871800,
                .guest_phys_addr = 9228163640593578308,
                .memory_size = 13154652985641659684,
                .userspace_addr = 2934507574655831761
        };
        char *s_0 = "/dev/kvm";
        struct kvm_vapic_addr kvm_vapic_addr_1 = {
                .vapic_addr=4096
        };

        int32_t r0 = open(s_0,0,0);
        int32_t r1 = ioctl(r0,44545,0);
        ioctl(r1,44640);
        ioctl(r1,1075883590,&kvm_userspace_memory_region_0);
        int32_t r2 = ioctl(r1,44609,0);
        ioctl(r2,44672,0);
        ioctl(r2,1074310803,&kvm_vapic_addr_1);
        return 0;
}


Actual results:
Kernel panic as following:

[ 46.550820][ T6635] BUG: KASAN: slab-out-of-bounds in
__kvm_gfn_to_hva_cache_init+0x30b/0x710
[ 46.551811][ T6635] Read of size 8 at addr ffff8880268e1468 by task
executor/6635
[ 46.552658][ T6635] 
[ 46.552922][ T6635] CPU: 0 PID: 6635 Comm: executor Not tainted 5.6.0+ #65
[ 46.553690][ T6635] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[ 46.555034][ T6635] Call Trace:
[ 46.555410][ T6635] dump_stack+0x1e9/0x30e
[ 46.555890][ T6635] print_address_description+0x74/0x5c0
[ 46.556525][ T6635] ? printk+0x62/0x83
[ 46.556978][ T6635] ? vprintk_emit+0x32e/0x3b0
[ 46.557493][ T6635] __kasan_report+0x103/0x1a0
[ 46.558008][ T6635] ? __kvm_gfn_to_hva_cache_init+0x30b/0x710
[ 46.558662][ T6635] ? __kvm_gfn_to_hva_cache_init+0x30b/0x710
[ 46.559321][ T6635] kasan_report+0x4d/0x80
[ 46.559799][ T6635] ? __kvm_gfn_to_hva_cache_init+0x30b/0x710
[ 46.560460][ T6635] ? kvm_lapic_set_vapic_addr+0x7d/0x130
[ 46.561095][ T6635] ? kvm_arch_vcpu_ioctl+0x15e7/0x3eb0
[ 46.561724][ T6635] ? kvm_vcpu_ioctl+0xff/0xa80
[ 46.562259][ T6635] ? kvm_vcpu_ioctl+0x550/0xa80
[ 46.562796][ T6635] ? kvm_vm_ioctl_get_dirty_log+0x650/0x650
[ 46.563442][ T6635] ? __se_sys_ioctl+0xf9/0x160
[ 46.563967][ T6635] ? do_syscall_64+0xf3/0x1b0
[ 46.564483][ T6635] ? entry_SYSCALL_64_after_hwframe+0x49/0xb3
[ 46.565150][ T6635] 
/* ... */

Expected results:
normal exit

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

             reply	other threads:[~2020-04-17  3:21 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-17  3:21 bugzilla-daemon [this message]
2020-04-19 13:06 ` [Bug 207315] Out of bounds access in search_memslots() in include/linux/kvm_host.h bugzilla-daemon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-207315-28872@https.bugzilla.kernel.org/ \
    --to=bugzilla-daemon@bugzilla.kernel.org \
    --cc=kvm@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox