[PATCH] KVM: arm64: Validate input range for pKVM mem transitions
Vincent Donnefort
vdonnefort at google.com
Fri Sep 19 03:01:05 PDT 2025
On Thu, Sep 18, 2025 at 02:21:43PM -0700, Oliver Upton wrote:
> On Thu, Sep 18, 2025 at 07:00:49PM +0100, Vincent Donnefort wrote:
> > There's currently no verification for host issued ranges in most of the
> > pKVM memory transitions. The subsequent end boundary might therefore be
> > subject to overflow and could evade the later checks.
> >
> > Close this loophole with an additional range_is_valid() check on a per
> > public function basis.
> >
> > host_unshare_guest transition is already protected via
> > __check_host_shared_guest(), while assert_host_shared_guest() callers
> > are already ignoring host checks.
> >
> > Signed-off-by: Vincent Donnefort <vdonnefort at google.com>
> >
> > diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> > index 8957734d6183..b156fb0bad0f 100644
> > --- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> > +++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c
> > @@ -443,6 +443,11 @@ static bool range_is_memory(u64 start, u64 end)
> > return is_in_mem_range(end - 1, &r);
> > }
> >
> > +static bool range_is_valid(u64 start, u64 end)
> > +{
> > + return start < end;
> > +}
> > +
>
> I'm being unnecessarily pedantic but isn't something like [-2MiB, 0) a
> legal range if we had 64 bits of PA? Looks correct though so:
Apologies, I am not sure I see what you mean with this -2MiB range.
>
> Reviewed-by: Oliver Upton <oliver.upton at linux.dev>
>
> Thanks,
> Oliver
More information about the linux-arm-kernel
mailing list