[PATCH v2] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()

Eric Auger eric.auger at redhat.com
Wed Apr 19 03:21:44 PDT 2023



On 4/19/23 12:16, Dan Carpenter wrote:
> The KVM_REG_SIZE() comes from the ioctl and it can be a power of two
> between 0-32768 but if it is more than sizeof(long) this will corrupt
> memory.
>
> Fixes: 99adb567632b ("KVM: arm/arm64: Add save/restore support for firmware workaround state")
> Signed-off-by: Dan Carpenter <dan.carpenter at linaro.org>
> ---
> v2: The original patch was okay but checking for != sizeof(val) is
>     stricter and more Obviously Correct[tm].  Return -ENOENT instead of
>     -EINVAL in case future ioctls are added which take a different size.
Reviewed-by: Eric Auger <eric.auger at redhat.com>

Eric
>
>  arch/arm64/kvm/hypercalls.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/arch/arm64/kvm/hypercalls.c b/arch/arm64/kvm/hypercalls.c
> index 2e16fc7b31bf..7fb4df0456de 100644
> --- a/arch/arm64/kvm/hypercalls.c
> +++ b/arch/arm64/kvm/hypercalls.c
> @@ -544,6 +544,8 @@ int kvm_arm_set_fw_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
>  	u64 val;
>  	int wa_level;
>  
> +	if (KVM_REG_SIZE(reg->id) != sizeof(val))
> +		return -ENOENT;
>  	if (copy_from_user(&val, uaddr, KVM_REG_SIZE(reg->id)))
>  		return -EFAULT;
>  




More information about the linux-arm-kernel mailing list