From patchwork Sat Aug 29 12:13:24 2009
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Roel Kluin <roel.kluin@gmail.com>
X-Patchwork-Id: 44684
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n7TC83FF018394
	for <patchwork-kvm@patchwork.kernel.org>;
	Sat, 29 Aug 2009 12:08:03 GMT
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752319AbZH2MH6 (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Sat, 29 Aug 2009 08:07:58 -0400
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752320AbZH2MH6
	(ORCPT <rfc822;kvm-outgoing>); Sat, 29 Aug 2009 08:07:58 -0400
Received: from mail-ew0-f206.google.com ([209.85.219.206]:57833 "EHLO
	mail-ew0-f206.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752312AbZH2MH5 (ORCPT <rfc822; kvm@vger.kernel.org>);
	Sat, 29 Aug 2009 08:07:57 -0400
Received: by ewy2 with SMTP id 2so2808303ewy.17
	for <kvm@vger.kernel.org>; Sat, 29 Aug 2009 05:07:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from
	:user-agent:mime-version:to:subject:content-type
	:content-transfer-encoding;
	bh=MUDS4C3vMPDbCzU2AMpyo9hExuRMV0MASZBaUInVDuI=;
	b=frP4Wx2a3eN0i+8wHGtW5Bk6rnfxjRDfiRsrUUGWI+9Hq7vj/nfnAydcEONYtVaeNJ
	F1IQ3Vl/mFm+V8fO6zSU+NjMGMgkF5HTmlkJQ5WHprbkqzJne5fdKF4mqseSF1PplLeG
	gu72Wm6o41tl2osD+PxY7tbwzEgqwu9FVweuM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=message-id:date:from:user-agent:mime-version:to:subject
	:content-type:content-transfer-encoding;
	b=mEdSDBwsqizry0DLxzojMXrWfO8z9cWFkBjJPSIZfj5JYCseAEui5ArCLoFIP6CIeC
	qsUyq6d73+XcelLKRLIgIAD3KFh++bMdkQQX7nfiMXe+t5KGL3WyK1gMIWj7Nvl+3p7o
	H7Q0Jbbxfug8xFDpvc/ZM/Wt6fY/CTg8Y4i68=
Received: by 10.211.146.5 with SMTP id y5mr2628959ebn.41.1251547678675;
	Sat, 29 Aug 2009 05:07:58 -0700 (PDT)
Received: from zoinx.mars (d133062.upc-d.chello.nl [213.46.133.62])
	by mx.google.com with ESMTPS id 28sm60394eye.24.2009.08.29.05.07.57
	(version=SSLv3 cipher=RC4-MD5);
	Sat, 29 Aug 2009 05:07:58 -0700 (PDT)
Message-ID: <4A991B64.3050903@gmail.com>
Date: Sat, 29 Aug 2009 14:13:24 +0200
From: Roel Kluin <roel.kluin@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.1.1) Gecko/20090814 Fedora/3.0-2.6.b3.fc11
	Thunderbird/3.0b3
MIME-Version: 1.0
To: Avi Kivity <avi@redhat.com>, kvm@vger.kernel.org,
	Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH] KVM: prevent read from desc->shadow_ptes[-1] in
	rmap_desc_remove_entry()
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org

prevent read from desc->shadow_ptes[-1]

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
---
If in rmap_remove() (bottom) we do:

while (desc) {
        for (i = 0; i < RMAP_EXT && desc->shadow_ptes[i]; ++i)
                if (desc->shadow_ptes[i] == spte) {
                        rmap_desc_remove_entry(rmapp,
                                               desc, i,
                                               prev_desc);
                        return;
                }
        prev_desc = desc;
        desc = desc->more;
}

If in the first iteration esc->shadow_ptes[0] == spte, then we
call rmap_desc_remove_entry() with i == 0, and then we read in
the last iteration from desc->shadow_ptes[-1].

I found this by code analysis.

--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 0ef5bb2..e1b2e46 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -541,7 +541,7 @@ static void rmap_desc_remove_entry(unsigned long *rmapp,
 {
 	int j;
 
-	for (j = RMAP_EXT - 1; !desc->shadow_ptes[j] && j > i; --j)
+	for (j = RMAP_EXT - 1; j > i && !desc->shadow_ptes[j]; --j)
 		;
 	desc->shadow_ptes[i] = desc->shadow_ptes[j];
 	desc->shadow_ptes[j] = NULL;