[PATCH v5.5 02/30] KVM: Disallow user memslot with size that exceeds "unsigned long"

Maciej S. Szmigiero maciej.szmigiero at oracle.com
Mon Nov 8 16:38:02 PST 2021


On 04.11.2021 01:25, Sean Christopherson wrote:
> Reject userspace memslots whose size exceeds the storage capacity of an
> "unsigned long".  KVM's uAPI takes the size as u64 to support large slots
> on 64-bit hosts, but does not account for the size being truncated on
> 32-bit hosts in various flows.  The access_ok() check on the userspace
> virtual address in particular casts the size to "unsigned long" and will
> check the wrong number of bytes.
> 
> KVM doesn't actually support slots whose size doesn't fit in an "unsigned
> long", e.g. KVM's internal kvm_memory_slot.npages is an "unsigned long",
> not a "u64", and misc arch specific code follows that behavior.
> 
> Fixes: fa3d315a4ce2 ("KVM: Validate userspace_addr of memslot when registered")
> Cc: stable at vger.kernel.org
> Signed-off-by: Sean Christopherson <seanjc at google.com>
> ---
>   virt/kvm/kvm_main.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
> index 99e69375c4c9..83287730389f 100644
> --- a/virt/kvm/kvm_main.c
> +++ b/virt/kvm/kvm_main.c
> @@ -1689,7 +1689,8 @@ int __kvm_set_memory_region(struct kvm *kvm,
>   	id = (u16)mem->slot;
>   
>   	/* General sanity checks */
> -	if (mem->memory_size & (PAGE_SIZE - 1))
> +	if ((mem->memory_size & (PAGE_SIZE - 1)) ||
> +	    (mem->memory_size != (unsigned long)mem->memory_size))
>   		return -EINVAL;
>   	if (mem->guest_phys_addr & (PAGE_SIZE - 1))
>   		return -EINVAL;
> 

Reviewed-by: Maciej S. Szmigiero <maciej.szmigiero at oracle.com>



More information about the linux-arm-kernel mailing list