From patchwork Wed Apr 19 08:06:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 13216494 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 0D783C6FD18 for ; Wed, 19 Apr 2023 08:07:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-ID:Subject:Cc:To: From:Date:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=nje/8lVA2dTbXsAM1gxUCskH8DHQGyR4/QwH624o2hI=; b=KnBTfC0ibYjPvd qdpReJO2UcV23Xer/nZwcnLsJOFuXUOIDdHr/Vja59GvYjCE0ofULdm9dTTZ4inD8tByDOFDTwxiu b9qznhCHlRLrQnFP4uPy1mzSeT/zExN9n25SMVjj45qFVMhvPPdrJ0JugfmqLQnWcJYRPwUY3LPRa NPUxn7J4VAf24mwdw2cPOH8SwNfM/w5Q85eeL0tMFHRcQglnHoT6acMr45TjSDRzzb1/DxV1NK8Jz W+w7XtWhUllDhcKv12q0O9VZ1qzhmHt+SvKIid3dgbZitXfNEOw8OzXWtoLAJu35tXri1Xl6CO9C3 oNvd+s0uSrXLNGl3gedg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1pp2q5-004XIb-0G; Wed, 19 Apr 2023 08:06:53 +0000 Received: from mail-wm1-x335.google.com ([2a00:1450:4864:20::335]) by bombadil.infradead.org with esmtps (Exim 4.96 #2 (Red Hat Linux)) id 1pp2q1-004XHj-2K for linux-arm-kernel@lists.infradead.org; Wed, 19 Apr 2023 08:06:50 +0000 Received: by mail-wm1-x335.google.com with SMTP id o29-20020a05600c511d00b003f1739de43cso970756wms.4 for ; Wed, 19 Apr 2023 01:06:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1681891608; x=1684483608; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :from:to:cc:subject:date:message-id:reply-to; bh=5OSy/8KzIeE0uT9f/JXeORSJpU/CYejtTTaWQ7l0cpk=; b=I8aI/cLLjYoF3kyrKmp9YJiuCEi4+DaA0/Tf1Wlln3rCKFpfdw2256mLJX0HaWUoNK xW4PWvfMz83BrqmG3fo+l9pem/lnSXQ+cD99N/RIzI7LH+1jumcHIKAxgUx6t6gsKcu2 eOGQO7G1/crQL3gXYxjOAuGMtnLaD3Gj/GFKOgfF+KY2l9rF38QZnfx3p6U/yHiZOlku B2/Dbw+4Z4ajzhpGGRJQQth5rzjUJHOldvXVSBAO3N6/44yd830J6oSARQlZwJonMg1j G/PrUVBpAUBdcxU07zzD/uu/yNhwmRxzRy6mtZKGZNpONul/NLciyp8+mNV5BD2v/Wio H4Mg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681891608; x=1684483608; h=content-disposition:mime-version:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=5OSy/8KzIeE0uT9f/JXeORSJpU/CYejtTTaWQ7l0cpk=; b=jMxyxlCTNWtlROch2soWK2+Fzqvf2DrnNOOhv5Reu+say3qPQTwONhX8aNXcSJJF0R dDJkRAXQg6Jn88tEgwRQ90pWcBS/+oV5kOq06DMfLfmAgmu684KE/csodyW34KnADyl1 OM+qEUr2i8sxPyy7II6opQLt0vNgcP95kgi1KutZoJd3qCcjAz7ENT10E+Fn0Tp2YFDP pPtasAiO6mGYstSo+mPhtCjHmm33breNCbzAyd3yi3e+jmWJZQ/V2LWqLtDSigMFwGft AHgXoYSn4jcLaZle8bj8heBnf2/bHMGBkNpQIme1vxVOSkAiDTZSegPO8Cx1HHMouCws d7cA== X-Gm-Message-State: AAQBX9cs5W+Bjq8HJNrkcLNYgD/MkmGveXljwALSJ0ig7EO3R/NMOhFD XM4F7eiiCVVS8tZ88vys3aMneg== X-Google-Smtp-Source: AKy350bsXyYLNtU1VpGGhfXi3kZDPExX20afgftMWFgCyE1KG7y4AfQzl/Q5ztY1W9WRfVoR4ylEnw== X-Received: by 2002:a7b:c404:0:b0:3f0:a785:f0e0 with SMTP id k4-20020a7bc404000000b003f0a785f0e0mr14741958wmi.40.1681891608041; Wed, 19 Apr 2023 01:06:48 -0700 (PDT) Received: from localhost ([102.36.222.112]) by smtp.gmail.com with ESMTPSA id q18-20020a7bce92000000b003f09d7b6e20sm1386729wmj.2.2023.04.19.01.06.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Apr 2023 01:06:47 -0700 (PDT) Date: Wed, 19 Apr 2023 11:06:44 +0300 From: Dan Carpenter To: Andre Przywara Cc: Oliver Upton , James Morse , Suzuki K Poulose , Zenghui Yu , Catalin Marinas , Will Deacon , Steven Price , Eric Auger , Andre Przywara , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, kernel-janitors@vger.kernel.org Subject: [PATCH] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg() Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Mailer: git-send-email haha only kidding X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230419_010649_763184_2806CE02 X-CRM114-Status: GOOD ( 11.31 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The KVM_REG_SIZE() comes from the ioctl and it can be a power of two between 0-32768 but if it is more than sizeof(long) this will corrupt memory. Fixes: 99adb567632b ("KVM: arm/arm64: Add save/restore support for firmware workaround state") Signed-off-by: Dan Carpenter Reviewed-by: Steven Price Reviewed-by: Eric Auger --- arch/arm64/kvm/hypercalls.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/arm64/kvm/hypercalls.c b/arch/arm64/kvm/hypercalls.c index 2e16fc7b31bf..4f5767fcaca5 100644 --- a/arch/arm64/kvm/hypercalls.c +++ b/arch/arm64/kvm/hypercalls.c @@ -544,6 +544,8 @@ int kvm_arm_set_fw_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) u64 val; int wa_level; + if (KVM_REG_SIZE(reg->id) > sizeof(val)) + return -EINVAL; if (copy_from_user(&val, uaddr, KVM_REG_SIZE(reg->id))) return -EFAULT;