* [PATCH v2] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()
@ 2023-04-19 10:16 Dan Carpenter
2023-04-19 10:17 ` Steven Price
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Dan Carpenter @ 2023-04-19 10:16 UTC (permalink / raw)
To: Andre Przywara
Cc: Oliver Upton, James Morse, Suzuki K Poulose, Zenghui Yu,
Catalin Marinas, Will Deacon, Eric Auger, Steven Price,
linux-arm-kernel, kvmarm, kernel-janitors
The KVM_REG_SIZE() comes from the ioctl and it can be a power of two
between 0-32768 but if it is more than sizeof(long) this will corrupt
memory.
Fixes: 99adb567632b ("KVM: arm/arm64: Add save/restore support for firmware workaround state")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
v2: The original patch was okay but checking for != sizeof(val) is
stricter and more Obviously Correct[tm]. Return -ENOENT instead of
-EINVAL in case future ioctls are added which take a different size.
arch/arm64/kvm/hypercalls.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/kvm/hypercalls.c b/arch/arm64/kvm/hypercalls.c
index 2e16fc7b31bf..7fb4df0456de 100644
--- a/arch/arm64/kvm/hypercalls.c
+++ b/arch/arm64/kvm/hypercalls.c
@@ -544,6 +544,8 @@ int kvm_arm_set_fw_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
u64 val;
int wa_level;
+ if (KVM_REG_SIZE(reg->id) != sizeof(val))
+ return -ENOENT;
if (copy_from_user(&val, uaddr, KVM_REG_SIZE(reg->id)))
return -EFAULT;
--
2.39.2
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()
2023-04-19 10:16 [PATCH v2] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg() Dan Carpenter
@ 2023-04-19 10:17 ` Steven Price
2023-04-19 10:21 ` Eric Auger
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Steven Price @ 2023-04-19 10:17 UTC (permalink / raw)
To: Dan Carpenter, Andre Przywara
Cc: Oliver Upton, James Morse, Suzuki K Poulose, Zenghui Yu,
Catalin Marinas, Will Deacon, Eric Auger, linux-arm-kernel,
kvmarm, kernel-janitors
On 19/04/2023 11:16, Dan Carpenter wrote:
> The KVM_REG_SIZE() comes from the ioctl and it can be a power of two
> between 0-32768 but if it is more than sizeof(long) this will corrupt
> memory.
>
> Fixes: 99adb567632b ("KVM: arm/arm64: Add save/restore support for firmware workaround state")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Steven Price <steven.price@arm.com>
Thanks,
Steve
> ---
> v2: The original patch was okay but checking for != sizeof(val) is
> stricter and more Obviously Correct[tm]. Return -ENOENT instead of
> -EINVAL in case future ioctls are added which take a different size.
>
> arch/arm64/kvm/hypercalls.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/arm64/kvm/hypercalls.c b/arch/arm64/kvm/hypercalls.c
> index 2e16fc7b31bf..7fb4df0456de 100644
> --- a/arch/arm64/kvm/hypercalls.c
> +++ b/arch/arm64/kvm/hypercalls.c
> @@ -544,6 +544,8 @@ int kvm_arm_set_fw_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
> u64 val;
> int wa_level;
>
> + if (KVM_REG_SIZE(reg->id) != sizeof(val))
> + return -ENOENT;
> if (copy_from_user(&val, uaddr, KVM_REG_SIZE(reg->id)))
> return -EFAULT;
>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()
2023-04-19 10:16 [PATCH v2] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg() Dan Carpenter
2023-04-19 10:17 ` Steven Price
@ 2023-04-19 10:21 ` Eric Auger
2023-04-19 11:31 ` Marc Zyngier
2023-04-19 15:24 ` Oliver Upton
3 siblings, 0 replies; 6+ messages in thread
From: Eric Auger @ 2023-04-19 10:21 UTC (permalink / raw)
To: Dan Carpenter, Andre Przywara
Cc: Oliver Upton, James Morse, Suzuki K Poulose, Zenghui Yu,
Catalin Marinas, Will Deacon, Steven Price, linux-arm-kernel,
kvmarm, kernel-janitors
On 4/19/23 12:16, Dan Carpenter wrote:
> The KVM_REG_SIZE() comes from the ioctl and it can be a power of two
> between 0-32768 but if it is more than sizeof(long) this will corrupt
> memory.
>
> Fixes: 99adb567632b ("KVM: arm/arm64: Add save/restore support for firmware workaround state")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> v2: The original patch was okay but checking for != sizeof(val) is
> stricter and more Obviously Correct[tm]. Return -ENOENT instead of
> -EINVAL in case future ioctls are added which take a different size.
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Eric
>
> arch/arm64/kvm/hypercalls.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/arm64/kvm/hypercalls.c b/arch/arm64/kvm/hypercalls.c
> index 2e16fc7b31bf..7fb4df0456de 100644
> --- a/arch/arm64/kvm/hypercalls.c
> +++ b/arch/arm64/kvm/hypercalls.c
> @@ -544,6 +544,8 @@ int kvm_arm_set_fw_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
> u64 val;
> int wa_level;
>
> + if (KVM_REG_SIZE(reg->id) != sizeof(val))
> + return -ENOENT;
> if (copy_from_user(&val, uaddr, KVM_REG_SIZE(reg->id)))
> return -EFAULT;
>
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()
2023-04-19 10:16 [PATCH v2] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg() Dan Carpenter
2023-04-19 10:17 ` Steven Price
2023-04-19 10:21 ` Eric Auger
@ 2023-04-19 11:31 ` Marc Zyngier
2023-04-19 12:06 ` Dan Carpenter
2023-04-19 15:24 ` Oliver Upton
3 siblings, 1 reply; 6+ messages in thread
From: Marc Zyngier @ 2023-04-19 11:31 UTC (permalink / raw)
To: Dan Carpenter
Cc: Andre Przywara, Oliver Upton, James Morse, Suzuki K Poulose,
Zenghui Yu, Catalin Marinas, Will Deacon, Eric Auger,
Steven Price, linux-arm-kernel, kvmarm, kernel-janitors
Hi Dan,
On Wed, 19 Apr 2023 11:16:13 +0100,
Dan Carpenter <dan.carpenter@linaro.org> wrote:
>
> The KVM_REG_SIZE() comes from the ioctl and it can be a power of two
> between 0-32768 but if it is more than sizeof(long) this will corrupt
> memory.
>
> Fixes: 99adb567632b ("KVM: arm/arm64: Add save/restore support for firmware workaround state")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> v2: The original patch was okay but checking for != sizeof(val) is
> stricter and more Obviously Correct[tm]. Return -ENOENT instead of
> -EINVAL in case future ioctls are added which take a different size.
>
> arch/arm64/kvm/hypercalls.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/arm64/kvm/hypercalls.c b/arch/arm64/kvm/hypercalls.c
> index 2e16fc7b31bf..7fb4df0456de 100644
> --- a/arch/arm64/kvm/hypercalls.c
> +++ b/arch/arm64/kvm/hypercalls.c
> @@ -544,6 +544,8 @@ int kvm_arm_set_fw_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
> u64 val;
> int wa_level;
>
> + if (KVM_REG_SIZE(reg->id) != sizeof(val))
> + return -ENOENT;
> if (copy_from_user(&val, uaddr, KVM_REG_SIZE(reg->id)))
> return -EFAULT;
>
Thanks for the fix. In the future, please Cc me on KVM/arm64 patches
(specially this particular variety of patches...).
Reviewed-by: Marc Zyngier <maz@kernel.org>
M.
--
Without deviation from the norm, progress is not possible.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()
2023-04-19 11:31 ` Marc Zyngier
@ 2023-04-19 12:06 ` Dan Carpenter
0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2023-04-19 12:06 UTC (permalink / raw)
To: Marc Zyngier
Cc: Andre Przywara, Oliver Upton, James Morse, Suzuki K Poulose,
Zenghui Yu, Catalin Marinas, Will Deacon, Eric Auger,
Steven Price, linux-arm-kernel, kvmarm, kernel-janitors
On Wed, Apr 19, 2023 at 12:31:53PM +0100, Marc Zyngier wrote:
> Thanks for the fix. In the future, please Cc me on KVM/arm64 patches
Sorry Marc, that wasn't intentional at all. I don't know what happened.
I have a script that I use send patches and it messed up both times. I
will investigate and fix.
regards,
dan carpenter
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()
2023-04-19 10:16 [PATCH v2] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg() Dan Carpenter
` (2 preceding siblings ...)
2023-04-19 11:31 ` Marc Zyngier
@ 2023-04-19 15:24 ` Oliver Upton
3 siblings, 0 replies; 6+ messages in thread
From: Oliver Upton @ 2023-04-19 15:24 UTC (permalink / raw)
To: Dan Carpenter, Andre Przywara
Cc: Oliver Upton, James Morse, Zenghui Yu, Catalin Marinas,
Steven Price, Suzuki K Poulose, kernel-janitors, kvmarm,
Eric Auger, Will Deacon, linux-arm-kernel
On Wed, 19 Apr 2023 13:16:13 +0300, Dan Carpenter wrote:
> The KVM_REG_SIZE() comes from the ioctl and it can be a power of two
> between 0-32768 but if it is more than sizeof(long) this will corrupt
> memory.
>
>
Applied to kvmarm/fixes, thanks!
[1/1] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()
https://git.kernel.org/kvmarm/kvmarm/c/a25bc8486f9c
--
Best,
Oliver
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-04-19 15:25 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-04-19 10:16 [PATCH v2] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg() Dan Carpenter
2023-04-19 10:17 ` Steven Price
2023-04-19 10:21 ` Eric Auger
2023-04-19 11:31 ` Marc Zyngier
2023-04-19 12:06 ` Dan Carpenter
2023-04-19 15:24 ` Oliver Upton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).