KVM: Array access out of bounds

Message ID	20241023120111.3973-1-liujing@cmss.chinamobile.com (mailing list archive)
State	New
Headers	show Received: from cmccmta2.chinamobile.com (cmccmta2.chinamobile.com [111.22.67.135]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D25F21AAE3A; Wed, 23 Oct 2024 12:22:54 +0000 (UTC) From: Liu Jing <liujing@cmss.chinamobile.com> To: mpe@ellerman.id.au Cc: npiggin@gmail.com, christophe.leroy@csgroup.eu, naveen@kernel.org, maddy@linux.ibm.com, linuxppc-dev@lists.ozlabs.org, kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Liu Jing <liujing@cmss.chinamobile.com> Subject: [PATCH] KVM: Array access out of bounds Date: Wed, 23 Oct 2024 20:01:11 +0800 Message-Id: <20241023120111.3973-1-liujing@cmss.chinamobile.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	KVM: Array access out of bounds \| expand KVM: Array access out of bounds

Message ID

20241023120111.3973-1-liujing@cmss.chinamobile.com (mailing list archive)

State

New

Headers

From: Liu Jing <liujing@cmss.chinamobile.com>
To: mpe@ellerman.id.au
Cc: npiggin@gmail.com,
	christophe.leroy@csgroup.eu,
	naveen@kernel.org,
	maddy@linux.ibm.com,
	linuxppc-dev@lists.ozlabs.org,
	kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Liu Jing <liujing@cmss.chinamobile.com>
Subject: [PATCH] KVM: Array access out of bounds
Date: Wed, 23 Oct 2024 20:01:11 +0800
Message-Id: <20241023120111.3973-1-liujing@cmss.chinamobile.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

KVM: Array access out of bounds | expand

Comments

Paolo Bonzini Oct. 23, 2024, 12:58 p.m. UTC | #1

On 10/23/24 14:01, Liu Jing wrote:
> In the kvmppc_mmu_book3s_64_xlate function,
> r = be64_to_cpu(pteg[i+1]); i used is 16 after the last loop and adding 1 will cross the line.
> 
> Signed-off-by: Liu Jing <liujing@cmss.chinamobile.com>
> 
> diff --git a/arch/powerpc/kvm/book3s_64_mmu.c b/arch/powerpc/kvm/book3s_64_mmu.c
> index 61290282fd9e..75d2b284c4b4 100644
> --- a/arch/powerpc/kvm/book3s_64_mmu.c
> +++ b/arch/powerpc/kvm/book3s_64_mmu.c
> @@ -284,11 +284,16 @@ static int kvmppc_mmu_book3s_64_xlate(struct kvm_vcpu *vcpu, gva_t eaddr,
>   		second = true;
>   		goto do_second;
>   	}
> +	if (i < 14) {

This should be i <= 14 (not "<").  And in fact, if you get here you must 
have found == true, and therefore i is indeed <= 14.  The code right 
above is this:

         if (!found) {
                 if (second)
                         goto no_page_found;
                 v_val |= HPTE_V_SECONDARY;
                 second = true;
                 goto do_second;
         }

and  "found = true" is set just before a break statement.

Paolo

> +		r = be64_to_cpu(pteg[i+1]);
> +		pp = (r & HPTE_R_PP) | key;
> +		if (r & HPTE_R_PP0)
> +			pp |= 8;
> +	} else {
> +		dprintk("KVM: Index out of bounds!\n");
> +		goto no_page_found;
> +	}
>   
> -	r = be64_to_cpu(pteg[i+1]);
> -	pp = (r & HPTE_R_PP) | key;
> -	if (r & HPTE_R_PP0)
> -		pp |= 8;
>   
>   	gpte->eaddr = eaddr;
>   	gpte->vpage = kvmppc_mmu_book3s_64_ea_to_vp(vcpu, eaddr, data);

diff --git a/arch/powerpc/kvm/book3s_64_mmu.c b/arch/powerpc/kvm/book3s_64_mmu.c
index 61290282fd9e..75d2b284c4b4 100644
--- a/arch/powerpc/kvm/book3s_64_mmu.c
+++ b/arch/powerpc/kvm/book3s_64_mmu.c
@@ -284,11 +284,16 @@  static int kvmppc_mmu_book3s_64_xlate(struct kvm_vcpu *vcpu, gva_t eaddr,
 		second = true;
 		goto do_second;
 	}
+	if (i < 14) {
+		r = be64_to_cpu(pteg[i+1]);
+		pp = (r & HPTE_R_PP) | key;
+		if (r & HPTE_R_PP0)
+			pp |= 8;
+	} else {
+		dprintk("KVM: Index out of bounds!\n");
+		goto no_page_found;
+	}
 
-	r = be64_to_cpu(pteg[i+1]);
-	pp = (r & HPTE_R_PP) | key;
-	if (r & HPTE_R_PP0)
-		pp |= 8;
 
 	gpte->eaddr = eaddr;
 	gpte->vpage = kvmppc_mmu_book3s_64_ea_to_vp(vcpu, eaddr, data);

KVM: Array access out of bounds

Commit Message

Comments

Patch