korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-18 09:44:18 +08:00
Code Issues Packages Projects Releases Wiki Activity
444fdad88f
linux/arch/x86/kvm
History
Radim Krčmář 444fdad88f KVM: x86: fix out-of-bounds access in lapic 
Cluster xAPIC delivery incorrectly assumed that dest_id <= 0xff.
With enabled KVM_X2APIC_API_USE_32BIT_IDS in KVM_CAP_X2APIC_API, a
userspace can send an interrupt with dest_id that results in
out-of-bounds access.

Found by syzkaller:

  BUG: KASAN: slab-out-of-bounds in kvm_irq_delivery_to_apic_fast+0x11fa/0x1210 at addr ffff88003d9ca750
  Read of size 8 by task syz-executor/22923
  CPU: 0 PID: 22923 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
   [...]
  Call Trace:
   [...] __dump_stack lib/dump_stack.c:15
   [...] dump_stack+0xb3/0x118 lib/dump_stack.c:51
   [...] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
   [...] print_address_description mm/kasan/report.c:194
   [...] kasan_report_error mm/kasan/report.c:283
   [...] kasan_report+0x231/0x500 mm/kasan/report.c:303
   [...] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:329
   [...] kvm_irq_delivery_to_apic_fast+0x11fa/0x1210 arch/x86/kvm/lapic.c:824
   [...] kvm_irq_delivery_to_apic+0x132/0x9a0 arch/x86/kvm/irq_comm.c:72
   [...] kvm_set_msi+0x111/0x160 arch/x86/kvm/irq_comm.c:157
   [...] kvm_send_userspace_msi+0x201/0x280 arch/x86/kvm/../../../virt/kvm/irqchip.c:74
   [...] kvm_vm_ioctl+0xba5/0x1670 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3015
   [...] vfs_ioctl fs/ioctl.c:43
   [...] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
   [...] SYSC_ioctl fs/ioctl.c:694
   [...] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
   [...] entry_SYSCALL_64_fastpath+0x1f/0xc2

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Fixes: e45115b62f ("KVM: x86: use physical LAPIC array for logical x2APIC")
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
2016-11-24 18:35:53 +01:00
..
assigned-dev.c KVM: x86: use list_for_each_entry* 2016-02-23 15:40:54 +01:00
assigned-dev.h KVM: x86: move device assignment out of kvm_host.h 2014-11-24 16:53:50 +01:00
cpuid.c KVM: x86: Expose more Intel AVX512 feature to guest 2016-08-19 17:51:40 +02:00
cpuid.h Revert "KVM: x86: add pcommit support" 2016-07-23 11:04:23 -07:00
debugfs.c kvm: x86: export TSC information to user-space 2016-09-16 16:57:48 +02:00
emulate.c kvm: x86: Check memopp before dereference (CVE-2016-8630) 2016-11-02 21:31:53 +01:00
hyperv.c KVM: x86: Hyper-V tsc page setup 2016-09-20 09:26:20 +02:00
hyperv.h KVM: x86: Hyper-V tsc page setup 2016-09-20 09:26:20 +02:00
i8254.c kthread: kthread worker API cleanup 2016-10-11 15:06:33 -07:00
i8254.h KVM: i8254: turn kvm_kpit_state.reinject into atomic_t 2016-03-04 09:30:25 +01:00
i8259.c KVM: x86: clean/fix memory barriers in irqchip_in_kernel 2015-07-30 16:02:56 +02:00
ioapic.c kvm: x86: memset whole irq_eoi 2016-10-20 14:54:11 +02:00
ioapic.h kvm: x86: Track irq vectors in ioapic->rtc_status.dest_map 2016-03-03 14:36:18 +01:00
iommu.c - ARM: GICv3 ITS emulation and various fixes. Removal of the old 2016-08-02 16:11:27 -04:00
irq_comm.c kvm: x86: merge kvm_arch_set_irq and kvm_arch_set_irq_inatomic 2016-11-19 19:04:19 +01:00
irq.c x86/kvm: Audit and remove any unnecessary uses of module.h 2016-07-14 15:07:00 +02:00
irq.h KVM: Move kvm_setup_default/empty_irq_routing declaration in arch specific header 2016-07-22 18:52:00 +01:00
Kconfig KVM: remove kvm_vcpu_compatible 2016-06-16 00:05:00 +02:00
kvm_cache_regs.h KVM, pkeys: add pkeys support for permission_fault 2016-03-22 16:23:37 +01:00
lapic.c KVM: x86: fix out-of-bounds access in lapic 2016-11-24 18:35:53 +01:00
lapic.h KVM: x86: use hardware-compatible format for APIC ID register 2016-07-14 09:03:54 +02:00
Makefile kvm: add stubs for arch specific debugfs support 2016-09-16 16:57:47 +02:00
mmu_audit.c kvm: rename pfn_t to kvm_pfn_t 2016-01-15 17:56:32 -08:00
mmu.c mmu: don't pass *kvm to spte_write_protect and spte_*_dirty 2016-08-19 17:51:40 +02:00
mmu.h kvm: mmu: remove is_present_gpte() 2016-07-14 09:02:47 +02:00
mmutrace.h tracing: Rename ftrace_event.h to trace_events.h 2015-05-13 14:05:12 -04:00
mtrr.c KVM: MTRR: fix kvm_mtrr_check_gfn_range_consistency page fault 2016-07-05 16:14:43 +02:00
page_track.c KVM: page_track: fix access to NULL slot 2016-03-22 17:27:28 +01:00
paging_tmpl.h kvm: mmu: track read permission explicitly for shadow EPT page tables 2016-07-14 09:03:50 +02:00
pmu_amd.c perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 2016-09-16 16:19:49 +02:00
pmu_intel.c KVM: x86: Fix typos 2016-06-14 11:16:28 +02:00
pmu.c KVM: x86: consolidate different ways to test for in-kernel LAPIC 2016-02-09 16:57:45 +01:00
pmu.h KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch 2015-06-23 14:12:14 +02:00
svm.c KVM: x86: drop TSC offsetting kvm_x86_ops to fix KVM_GET/SET_CLOCK 2016-11-02 20:03:07 +01:00
trace.h KVM: x86: support using the vmx preemption timer for tsc deadline timer 2016-06-16 10:07:48 +02:00
tss.h
vmx.c kvm: nVMX: VMCLEAR an active shadow VMCS after last use 2016-11-02 20:03:17 +01:00
x86.c KVM: x86: fix missed SRCU usage in kvm_lapic_set_vapic_addr 2016-11-19 19:04:18 +01:00
x86.h KVM: x86: introduce get_kvmclock_ns 2016-09-20 09:26:15 +02:00