From patchwork Thu Jul  2 19:50:49 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jan Kiszka <jan.kiszka@web.de>
X-Patchwork-Id: 33764
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n62Jp2oU028950
	for <patchwork-kvm@patchwork.kernel.org>; Thu, 2 Jul 2009 19:51:02 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751209AbZGBTu4 (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Thu, 2 Jul 2009 15:50:56 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751298AbZGBTu4
	(ORCPT <rfc822;kvm-outgoing>); Thu, 2 Jul 2009 15:50:56 -0400
Received: from fmmailgate01.web.de ([217.72.192.221]:53418 "EHLO
	fmmailgate01.web.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751012AbZGBTu4 (ORCPT <rfc822; kvm@vger.kernel.org>);
	Thu, 2 Jul 2009 15:50:56 -0400
Received: from smtp07.web.de (fmsmtp07.dlan.cinetic.de [172.20.5.215])
	by fmmailgate01.web.de (Postfix) with ESMTP id 7863E107FEE0B;
	Thu,  2 Jul 2009 21:50:50 +0200 (CEST)
Received: from [92.74.61.159] (helo=[192.168.1.10])
	by smtp07.web.de with asmtp (TLSv1:AES256-SHA:256)
	(WEB.DE 4.110 #277)
	id 1MMSJ0-0006Dl-00; Thu, 02 Jul 2009 21:50:50 +0200
Message-ID: <4A4D0F99.2030604@web.de>
Date: Thu, 02 Jul 2009 21:50:49 +0200
From: Jan Kiszka <jan.kiszka@web.de>
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de;
	rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1
	Thunderbird/2.0.0.12 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: Avi Kivity <avi@redhat.com>
CC: kvm-devel <kvm@vger.kernel.org>
Subject: [PATCH] qemu-kvm: Work around borken MSR_GET_INDEX_LIST
X-Enigmail-Version: 0.95.7
X-Sender: jan.kiszka@web.de
X-Provags-ID: V01U2FsdGVkX1/mDFnbmHCre6sLR00TdCFlvuxZMo+mSTdUdAiI
	TWEeAO+VpowTzMBDwZ21HeoCr5HxV9lrz11myLZIiYRSndiEnK quRoPvhLQ=
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org

Allocate enough memory for KVM_GET_MSR_INDEX_LIST as older kernels shot
far beyond their limits, corrupting user space memory.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---

 qemu-kvm-x86.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/qemu-kvm-x86.c b/qemu-kvm-x86.c
index d6735c1..e528acb 100644
--- a/qemu-kvm-x86.c
+++ b/qemu-kvm-x86.c
@@ -349,7 +349,10 @@ struct kvm_msr_list *kvm_get_msr_list(kvm_context_t kvm)
 	r = ioctl(kvm->fd, KVM_GET_MSR_INDEX_LIST, &sizer);
 	if (r == -1 && errno != E2BIG)
 		return NULL;
-	msrs = malloc(sizeof *msrs + sizer.nmsrs * sizeof *msrs->indices);
+	/* Old kernel modules had a bug and could write beyond the provided
+	   memory. Allocate at least a safe amount of 1K. */
+	msrs = malloc(MAX(1024, sizeof(*msrs) +
+				sizer.nmsrs * sizeof(*msrs->indices)));
 	if (!msrs) {
 		errno = ENOMEM;
 		return NULL;