[PATCH v2] KVM: arm64: Fix buffer overflow in kvm_arm_set_fw_reg()
Marc Zyngier
maz at kernel.org
Wed Apr 19 04:31:53 PDT 2023
Hi Dan,
On Wed, 19 Apr 2023 11:16:13 +0100,
Dan Carpenter <dan.carpenter at linaro.org> wrote:
>
> The KVM_REG_SIZE() comes from the ioctl and it can be a power of two
> between 0-32768 but if it is more than sizeof(long) this will corrupt
> memory.
>
> Fixes: 99adb567632b ("KVM: arm/arm64: Add save/restore support for firmware workaround state")
> Signed-off-by: Dan Carpenter <dan.carpenter at linaro.org>
> ---
> v2: The original patch was okay but checking for != sizeof(val) is
> stricter and more Obviously Correct[tm]. Return -ENOENT instead of
> -EINVAL in case future ioctls are added which take a different size.
>
> arch/arm64/kvm/hypercalls.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/arm64/kvm/hypercalls.c b/arch/arm64/kvm/hypercalls.c
> index 2e16fc7b31bf..7fb4df0456de 100644
> --- a/arch/arm64/kvm/hypercalls.c
> +++ b/arch/arm64/kvm/hypercalls.c
> @@ -544,6 +544,8 @@ int kvm_arm_set_fw_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
> u64 val;
> int wa_level;
>
> + if (KVM_REG_SIZE(reg->id) != sizeof(val))
> + return -ENOENT;
> if (copy_from_user(&val, uaddr, KVM_REG_SIZE(reg->id)))
> return -EFAULT;
>
Thanks for the fix. In the future, please Cc me on KVM/arm64 patches
(specially this particular variety of patches...).
Reviewed-by: Marc Zyngier <maz at kernel.org>
M.
--
Without deviation from the norm, progress is not possible.
More information about the linux-arm-kernel
mailing list