[PATCH] KVM: arm64: Validate input range for pKVM mem transitions
Oliver Upton
oliver.upton at linux.dev
Thu Sep 18 14:21:43 PDT 2025
On Thu, Sep 18, 2025 at 07:00:49PM +0100, Vincent Donnefort wrote:
> There's currently no verification for host issued ranges in most of the
> pKVM memory transitions. The subsequent end boundary might therefore be
> subject to overflow and could evade the later checks.
>
> Close this loophole with an additional range_is_valid() check on a per
> public function basis.
>
> host_unshare_guest transition is already protected via
> __check_host_shared_guest(), while assert_host_shared_guest() callers
> are already ignoring host checks.
>
> Signed-off-by: Vincent Donnefort <vdonnefort at google.com>
>
> diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> index 8957734d6183..b156fb0bad0f 100644
> --- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> +++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> @@ -443,6 +443,11 @@ static bool range_is_memory(u64 start, u64 end)
> return is_in_mem_range(end - 1, &r);
> }
>
> +static bool range_is_valid(u64 start, u64 end)
> +{
> + return start < end;
> +}
> +
I'm being unnecessarily pedantic but isn't something like [-2MiB, 0) a
legal range if we had 64 bits of PA? Looks correct though so:
Reviewed-by: Oliver Upton <oliver.upton at linux.dev>
Thanks,
Oliver
More information about the linux-arm-kernel
mailing list