kernel / kernel-source

Clone
Source Code
GIT

Blame patches.suse/kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   42410b3106954b309b30192171d183270a6400e6
  2.   patches.suse
  3.   kvm-s390-test-for-bad-access-register-and-size-at-the-start-of-s390_mem_op
Blob History Raw
Petr Tesarik f90df7 
From: Thomas Huth <thuth@redhat.com>
Petr Tesarik f90df7 
Date: Thu, 29 Aug 2019 14:25:17 +0200
Petr Tesarik f90df7 
Subject: KVM: s390: Test for bad access register and size at the start of
Petr Tesarik f90df7 
 S390_MEM_OP
Petr Tesarik f90df7 
Git-commit: a13b03bbb4575b350b46090af4dfd30e735aaed1
Petr Tesarik f90df7 
Patch-mainline: v5.4-rc1
Petr Tesarik f90df7 
References: git-fixes
Petr Tesarik f90df7
Petr Tesarik f90df7 
If the KVM_S390_MEM_OP ioctl is called with an access register >= 16,
Petr Tesarik f90df7 
then there is certainly a bug in the calling userspace application.
Petr Tesarik f90df7 
We check for wrong access registers, but only if the vCPU was already
Petr Tesarik f90df7 
in the access register mode before (i.e. the SIE block has recorded
Petr Tesarik f90df7 
it). The check is also buried somewhere deep in the calling chain (in
Petr Tesarik f90df7 
the function ar_translation()), so this is somewhat hard to find.
Petr Tesarik f90df7
Petr Tesarik f90df7 
It's better to always report an error to the userspace in case this
Petr Tesarik f90df7 
field is set wrong, and it's safer in the KVM code if we block wrong
Petr Tesarik f90df7 
values here early instead of relying on a check somewhere deep down
Petr Tesarik f90df7 
the calling chain, so let's add another check to kvm_s390_guest_mem_op()
Petr Tesarik f90df7 
directly.
Petr Tesarik f90df7
Petr Tesarik f90df7 
We also should check that the "size" is non-zero here (thanks to Janosch
Petr Tesarik f90df7 
Frank for the hint!). If we do not check the size, we could call vmalloc()
Petr Tesarik f90df7 
with this 0 value, and this will cause a kernel warning.
Petr Tesarik f90df7
Petr Tesarik f90df7 
Signed-off-by: Thomas Huth <thuth@redhat.com>
Petr Tesarik f90df7 
Link: https://lkml.kernel.org/r/20190829122517.31042-1-thuth@redhat.com
Petr Tesarik f90df7 
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Petr Tesarik f90df7 
Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
Petr Tesarik f90df7 
Reviewed-by: David Hildenbrand <david@redhat.com>
Petr Tesarik f90df7 
Cc: stable@vger.kernel.org
Petr Tesarik f90df7 
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Petr Tesarik f90df7 
Acked-by: Petr Tesarik <ptesarik@suse.com>
Petr Tesarik f90df7 
---
Petr Tesarik f90df7 
 arch/s390/kvm/kvm-s390.c |    2 +-
Petr Tesarik f90df7 
 1 file changed, 1 insertion(+), 1 deletion(-)
Petr Tesarik f90df7
Petr Tesarik f90df7 
--- a/arch/s390/kvm/kvm-s390.c
Petr Tesarik f90df7 
+++ b/arch/s390/kvm/kvm-s390.c
Petr Tesarik f90df7 
@@ -3703,7 +3703,7 @@ static long kvm_s390_guest_mem_op(struct
Petr Tesarik f90df7 
 	const u64 supported_flags = KVM_S390_MEMOP_F_INJECT_EXCEPTION
Petr Tesarik f90df7 
 				    | KVM_S390_MEMOP_F_CHECK_ONLY;
Petr Tesarik f90df7
Petr Tesarik f90df7 
-	if (mop->flags & ~supported_flags)
Petr Tesarik f90df7 
+	if (mop->flags & ~supported_flags || mop->ar >= NUM_ACRS || !mop->size)
Petr Tesarik f90df7 
 		return -EINVAL;
Petr Tesarik f90df7
Petr Tesarik f90df7 
 	if (mop->size > MEM_OP_MAX_SIZE)
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.