[PATCH 4.19 61/99] KVM: SVM: prevent DBG_DECRYPT and DBG_ENCRYPT overflow

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Cfir Cohen <cfir@google.com>,
	David Rientjes <rientjes@google.com>,
	Paolo Bonzini <pbonzini@redhat.com>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 61/99] KVM: SVM: prevent DBG_DECRYPT and DBG_ENCRYPT overflow
Date: Mon,  6 May 2019 16:32:34 +0200	[thread overview]
Message-ID: <20190506143059.604447144@linuxfoundation.org> (raw)
In-Reply-To: <20190506143053.899356316@linuxfoundation.org>

[ Upstream commit b86bc2858b389255cd44555ce4b1e427b2b770c0 ]

This ensures that the address and length provided to DBG_DECRYPT and
DBG_ENCRYPT do not cause an overflow.

At the same time, pass the actual number of pages pinned in memory to
sev_unpin_memory() as a cleanup.

Reported-by: Cfir Cohen <cfir@google.com>
Signed-off-by: David Rientjes <rientjes@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/svm.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 813cb60eb401..8dd9208ae4de 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -6789,7 +6789,8 @@ static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec)
 	struct page **src_p, **dst_p;
 	struct kvm_sev_dbg debug;
 	unsigned long n;
-	int ret, size;
+	unsigned int size;
+	int ret;
 
 	if (!sev_guest(kvm))
 		return -ENOTTY;
@@ -6797,6 +6798,11 @@ static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec)
 	if (copy_from_user(&debug, (void __user *)(uintptr_t)argp->data, sizeof(debug)))
 		return -EFAULT;
 
+	if (!debug.len || debug.src_uaddr + debug.len < debug.src_uaddr)
+		return -EINVAL;
+	if (!debug.dst_uaddr)
+		return -EINVAL;
+
 	vaddr = debug.src_uaddr;
 	size = debug.len;
 	vaddr_end = vaddr + size;
@@ -6847,8 +6853,8 @@ static int sev_dbg_crypt(struct kvm *kvm, struct kvm_sev_cmd *argp, bool dec)
 						     dst_vaddr,
 						     len, &argp->error);
 
-		sev_unpin_memory(kvm, src_p, 1);
-		sev_unpin_memory(kvm, dst_p, 1);
+		sev_unpin_memory(kvm, src_p, n);
+		sev_unpin_memory(kvm, dst_p, n);
 
 		if (ret)
 			goto err;
-- 
2.20.1

next prev parent reply	other threads:[~2019-05-06 14:43 UTC|newest]

Thread overview: 111+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-06 14:31 [PATCH 4.19 00/99] 4.19.41-stable review Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 01/99] iwlwifi: fix driver operation for 5350 Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 02/99] mwifiex: Make resume actually do something useful again on SDIO cards Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 03/99] mac80211: dont attempt to rename ERR_PTR() debugfs dirs Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 04/99] i2c: synquacer: fix enumeration of slave devices Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 05/99] i2c: imx: correct the method of getting private data in notifier_call Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 06/99] i2c: Remove unnecessary call to irq_find_mapping Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 07/99] i2c: Clear client->irq in i2c_device_remove Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 08/99] i2c: Allow recovery of the initial IRQ by an I2C client device Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 09/99] i2c: Prevent runtime suspend of adapter when Host Notify is required Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 10/99] ALSA: hda/realtek - Add new Dell platform for headset mode Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 11/99] ALSA: hda/realtek - Fixed Dell AIO speaker noise Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 12/99] ALSA: hda/realtek - Apply the fixup for ASUS Q325UAR Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 13/99] USB: yurex: Fix protection fault after device removal Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 14/99] USB: w1 ds2490: Fix bug caused by improper use of altsetting array Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 15/99] USB: dummy-hcd: Fix failure to give back unlinked URBs Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 16/99] usb: usbip: fix isoc packet num validation in get_pipe Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 17/99] USB: core: Fix unterminated string returned by usb_string() Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 18/99] USB: core: Fix bug caused by duplicate interface PM usage counter Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 19/99] nvme-loop: init nvmet_ctrl fatal_err_work when allocate Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 20/99] efi: Fix debugobjects warning on efi_rts_work Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 21/99] arm64: dts: rockchip: fix rk3328-roc-cc gmac2io tx/rx_delay Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 22/99] HID: logitech: check the return value of create_singlethread_workqueue Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 23/99] HID: debug: fix race condition with between rdesc_show() and device removal Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 24/99] rtc: cros-ec: Fail suspend/resume if wake IRQ cant be configured Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 25/99] rtc: sh: Fix invalid alarm warning for non-enabled alarm Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 4.19 26/99] batman-adv: Reduce claim hash refcnt only for removed entry Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 27/99] batman-adv: Reduce tt_local " Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 28/99] batman-adv: Reduce tt_global " Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 29/99] batman-adv: fix warning in function batadv_v_elp_get_throughput Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 30/99] ARM: dts: rockchip: Fix gpu opp node names for rk3288 Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 31/99] reset: meson-audio-arb: Fix missing .owner setting of reset_controller_dev Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 32/99] igb: Fix WARN_ONCE on runtime suspend Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 33/99] riscv: fix accessing 8-byte variable from RV32 Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 34/99] HID: quirks: Fix keyboard + touchpad on Lenovo Miix 630 Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 35/99] net: hns3: fix compile error Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 36/99] net/mlx5: E-Switch, Fix esw manager vport indication for more vport commands Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 37/99] bonding: show full hw address in sysfs for slave entries Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 38/99] net: stmmac: use correct DMA buffer size in the RX descriptor Greg Kroah-Hartman
2019-05-08  0:10   ` Nobuhiro Iwamatsu
2019-05-08  6:35     ` Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 39/99] net: stmmac: ratelimit RX error logs Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 40/99] net: stmmac: dont stop NAPI processing when dropping a packet Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 41/99] net: stmmac: dont overwrite discard_frame status Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 42/99] net: stmmac: fix dropping of multi-descriptor RX frames Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 43/99] net: stmmac: dont log oversized frames Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 44/99] jffs2: fix use-after-free on symlink traversal Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 45/99] debugfs: " Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 46/99] mfd: twl-core: Disable IRQ while suspended Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 47/99] block: use blk_free_flush_queue() to free hctx->fq in blk_mq_init_hctx Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 48/99] rtc: da9063: set uie_unsupported when relevant Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 49/99] HID: input: add mapping for Assistant key Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 50/99] vfio/pci: use correct format characters Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 51/99] scsi: core: add new RDAC LENOVO/DE_Series device Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 52/99] scsi: storvsc: Fix calculation of sub-channel count Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 53/99] arm/mach-at91/pm : fix possible object reference leak Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 54/99] arm64: fix wrong check of on_sdei_stack in nmi context Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 55/99] net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw() Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 56/99] net: hns: Use NAPI_POLL_WEIGHT for hns driver Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 57/99] net: hns: Fix probabilistic memory overwrite when HNS driver initialized Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 58/99] net: hns: fix ICMP6 neighbor solicitation messages discard problem Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 59/99] net: hns: Fix WARNING when remove HNS driver with SMMU enabled Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 60/99] libcxgb: fix incorrect ppmax calculation Greg Kroah-Hartman
2019-05-06 14:32 ` Greg Kroah-Hartman [this message]
2019-05-06 14:32 ` [PATCH 4.19 62/99] kmemleak: powerpc: skip scanning holes in the .bss section Greg Kroah-Hartman
2019-05-07  7:58   ` Nobuhiro Iwamatsu
2019-05-07 12:51     ` Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 63/99] hugetlbfs: fix memory leak for resv_map Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 64/99] sh: fix multiple function definition build errors Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 65/99] xsysace: Fix error handling in ace_setup Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 66/99] fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 67/99] ARM: orion: dont use using 64-bit DMA masks Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 68/99] ARM: iop: " Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 69/99] block: pass no-op callback to INIT_WORK() Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 70/99] perf/x86/amd: Update generic hardware cache events for Family 17h Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 71/99] Bluetooth: btusb: request wake pin with NOAUTOEN Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 72/99] Bluetooth: mediatek: fix up an error path to restore bdev->tx_state Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 73/99] clk: qcom: Add missing freq for usb30_master_clk on 8998 Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 74/99] staging: iio: adt7316: allow adt751x to use internal vref for all dacs Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 75/99] staging: iio: adt7316: fix the dac read calculation Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 76/99] staging: iio: adt7316: fix the dac write calculation Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 77/99] scsi: RDMA/srpt: Fix a credit leak for aborted commands Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 78/99] ASoC: Intel: bytcr_rt5651: Revert "Fix DMIC map headsetmic mapping" Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 79/99] ASoC: wm_adsp: Correct handling of compressed streams that restart Greg Kroah-Hartman
2019-05-07  8:44   ` Nobuhiro Iwamatsu
2019-05-07 12:49     ` Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 80/99] ASoC: stm32: fix sai driver name initialisation Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 81/99] platform/x86: intel_pmc_core: Fix PCH IP name Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 82/99] platform/x86: intel_pmc_core: Handle CFL regmap properly Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 83/99] IB/core: Unregister notifier before freeing MAD security Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 84/99] IB/core: Fix potential memory leak while creating MAD agents Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 85/99] IB/core: Destroy QP if XRC QP fails Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 4.19 86/99] Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 4.19 87/99] Input: stmfts - acknowledge that setting brightness is a blocking call Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 4.19 88/99] gpio: mxc: add check to return defer probe if clock tree NOT ready Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 4.19 89/99] selinux: avoid silent denials in permissive mode under RCU walk Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 4.19 90/99] selinux: never allow relabeling on context mounts Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 4.19 91/99] mac80211: Honor SW_CRYPTO_CONTROL for unicast keys in AP VLAN mode Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 4.19 92/99] powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 4.19 93/99] x86/mce: Improve error message when kernel cannot recover, p2 Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 4.19 94/99] clk: x86: Add system specific quirk to mark clocks as critical Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 4.19 95/99] x86/mm/KASLR: Fix the size of the direct mapping section Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 4.19 96/99] x86/mm: Fix a crash with kmemleak_scan() Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 4.19 97/99] x86/mm/tlb: Revert "x86/mm: Align TLB invalidation info" Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 4.19 98/99] i2c: i2c-stm32f7: Fix SDADEL minimum formula Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 4.19 99/99] media: v4l2: i2c: ov7670: Fix PLL bypass register values Greg Kroah-Hartman
2019-05-07  9:49 ` [PATCH 4.19 00/99] 4.19.41-stable review Naresh Kamboju
2019-05-07 12:44 ` Jon Hunter
2019-05-07 18:39 ` Guenter Roeck
2019-05-07 19:27 ` kernelci.org bot
2019-05-07 20:22 ` shuah

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:813cb60eb40 dfblob:8dd9208ae4d )
 OR (
bs:"[PATCH 4.19 61/99] KVM: SVM: prevent DBG_DECRYPT and DBG_ENCRYPT overflow" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190506143059.604447144@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=cfir@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=rientjes@google.com \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).