From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CC7FD227B94 for ; Mon, 1 Dec 2025 19:03:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764615801; cv=none; b=J0ycStVRkm6Wv5X0V0SNkzzRm84Nj5dTstVVY2r1YKBzFdRLaWqm/AnM2Sk6i2bE/RhYESScOAEmYp/tE14b3eQYCjoimiCfmcGuhTTbAoE2y9U/7Xh1dXMdOSJjN3ms98bEfxsrInzuxNpA/9P45LmAnNSuiiI0n5WEVxuJBeY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764615801; c=relaxed/simple; bh=A02pUgeAmvGHdrkD+rUE9fzxwZ0ZdB/gJLE7NQl0bKg=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=gNicjmSGdhVy+NXRCLzy4qN03aZ2N5B6PN4BqjBZC2J0Zs/ZGNczjUE3F4gdvPGnXIzhi9dyB8+Kwgpnrf9X91h7YsE6d8YJdN0kdi8lHRGl63plGVp5UeBx/8WJ1udIFbg4X0QGu7bqYcrmxWJrRYCp32t6149zL3KrSZt4jkI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=bxqbAsGX; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--seanjc.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="bxqbAsGX" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-34176460924so3811683a91.3 for ; Mon, 01 Dec 2025 11:03:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1764615799; x=1765220599; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=pu1GzNXnswxxTsLftEUw+XLhracJ2MXZoaDjvhLvKc0=; b=bxqbAsGXoSmU1foLPf/desLtCh0SKDf9lh7Qt197ng36cFe2XPUvRKSUymsVvIXR7l AVABiGVIeWhhweZQgz5pW0/VILfBSPqFS61/eGu8GHI9M74+7+C9Pn3HG8Nuv2VpMR/Z CjRncz8rx+wqFmV9o5jox6HZ7iPfNbUCe/+nBdEXqeBIscHYDUpqrZOvzrq84J+UoxjT vM2rHCObnZwUwUpf3Eh2lFd5dyK8hJToMTj/uxNoVM7xJo4arNG9oKtEZG3LW0nt6yOV FkO6pjmjfE6I/MZV6d5n9rtYgq7uu6rGm0jVPF8hJPVoYnNyAzbSlFh5LfQHMIfJlyDk Qwsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764615799; x=1765220599; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=pu1GzNXnswxxTsLftEUw+XLhracJ2MXZoaDjvhLvKc0=; b=cm40UkPyMXgoKEZeW8Wsi788Oi+Txsr3PurGXI82w9gGnG2AzR/i6HQg1FaxTiKD9s tKuG1ntpxTm5uTqb/Jjtw1Scbkt9HVm8jtylIqYO+uCP6xpQLcHFr9slrdQCQU/LSU0B PagwWGYqdKDiv3CKkA3Ukaw+xcsOviN+BeYfpPAfvHsENwZ96B6TOIKkdM0w7g50nv/f F8wyV7u/Ke3gU5eTgN6fpx6qMhxkz8l2qHlO7+gPvoIUYLgUj+kJabeODw4Y8f1ADrW8 ylbuByMJ8BHa5xCc1S9YXSSv3Ycj4vkR9UBdEI49s0VdRM4Bh1cp80HXHmcAAyfmCRot rPdQ== X-Forwarded-Encrypted: i=1; AJvYcCVjwbWNFNF0NflgqLErEAr6lZG04s9r4V/cKH4ilRVr3uGn2me+TaZffyUIwRs3h4vMEAkJ4OayBfJd29k=@vger.kernel.org X-Gm-Message-State: AOJu0YyYyNPxfYVfdMCL5TJFHPDCCIlPAS1kZpy3cOOyvYItTlMvdJNa CKuUZeeQlRgN9lmbXv9ouXbqTDnJLlTJ0GBSp+YxfWbntfvEsUiymuIBWCdXddrjD2K6tg3umtd 331IUEw== X-Google-Smtp-Source: AGHT+IHw9VmBXKW6XOZT+mg91gy7vtZGKPdp6G91jlZ3D2sj3sZdSq0tnxgxwv4nwAIngjMF9zWWrrDYxko= X-Received: from pjst20.prod.google.com ([2002:a17:90b:194:b0:347:2e36:e379]) (user=seanjc job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:578c:b0:341:2141:df76 with SMTP id 98e67ed59e1d1-34733e734f9mr34267712a91.13.1764615799118; Mon, 01 Dec 2025 11:03:19 -0800 (PST) Date: Mon, 1 Dec 2025 11:03:17 -0800 In-Reply-To: <20251127001132.13704-1-redacherkaoui67@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20251127001132.13704-1-redacherkaoui67@gmail.com> Message-ID: Subject: Re: [PATCH] KVM: coalesced_mmio: Fix out-of-bounds write in coalesced_mmio_write() From: Sean Christopherson To: redacherkaoui Cc: pbonzini@redhat.com, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, redahack12-glitch Content-Type: text/plain; charset="us-ascii" On Thu, Nov 27, 2025, redacherkaoui wrote: > From: redahack12-glitch > > The coalesced MMIO ring stores each entry's MMIO payload in an 8-byte > fixed-size buffer (data[8]). However, coalesced_mmio_write() copies > the payload using memcpy(..., len) without verifying that 'len' does not > exceed the buffer size. > > A malicious KVM controls all callers. > or buggy caller could therefore trigger a write past the end of the data[] > array and corrupt adjacent kernel memory inside the ring page. True, but if a caller is buggy, KVM likely has bigger problems because KVM relies on MMIO (and PIO) accesses being no larger than 8 in a number of locations. If we want to harden KVM, kvm_iodevice_{read,write}() would be a better place for a sanity check.