[PW_SID:1130089] RISC-V: KVM: Fix PMU event info array size overflow#2316
[PW_SID:1130089] RISC-V: KVM: Fix PMU event info array size overflow#2316linux-riscv-bot wants to merge 1 commit into
Conversation
SBI PMU EVENT_GET_INFO stores guest-controlled num_events * sizeof(*einfo) in an int. On RV64, num_events = 0x10000001 makes 0x100000010 truncate to 16. KVM then allocates one entry but loops over the original num_events, causing out-of-bounds reads and writes. A nested guest triggered: BUG: KASAN: slab-out-of-bounds in kvm_riscv_vcpu_pmu_event_info+0xa4/0x142 Read of size 4 at addr ff600000074d46b0 by task init/1 Call Trace: [<ffffffff8006471c>] kvm_riscv_vcpu_pmu_event_info+0xa4/0x142 [<ffffffff800690c0>] kvm_sbi_ext_pmu_handler+0xca/0x268 [<ffffffff8006779e>] kvm_riscv_vcpu_sbi_ecall+0xec/0x1e6 [<ffffffff8006008c>] kvm_riscv_vcpu_exit+0x48c/0x540 [<ffffffff8005ea0a>] kvm_arch_vcpu_ioctl_run+0x37e/0xc80 Allocated by task 1: __kmalloc_noprof+0x19e/0x4b0 kvm_riscv_vcpu_pmu_event_info+0x72/0x142 kvm_sbi_ext_pmu_handler+0xca/0x268 kvm_riscv_vcpu_sbi_ecall+0xec/0x1e6 kvm_riscv_vcpu_exit+0x48c/0x540 kvm_arch_vcpu_ioctl_run+0x37e/0xc80 The buggy address is located 0 bytes to the right of allocated 16-byte region [ff600000074d46a0, ff600000074d46b0) Store the shared-memory size in size_t and reject multiplication overflow. Reject sizes beyond KMALLOC_MAX_SIZE to avoid triggering WARN_ON_ONCE_GFP() for an impossible allocation order. Use an unsigned long loop index to match num_events. Fixes: e309fd1 ("RISC-V: KVM: Implement get event info function") Cc: stable@vger.kernel.org Signed-off-by: Guidong Han <2045gemini@gmail.com> Signed-off-by: Linux RISC-V bot <linux.riscv.bot@gmail.com>
|
Patch 1: "RISC-V: KVM: Fix PMU event info array size overflow" |
|
Patch 1: "RISC-V: KVM: Fix PMU event info array size overflow" |
|
Patch 1: "RISC-V: KVM: Fix PMU event info array size overflow" |
|
Patch 1: "RISC-V: KVM: Fix PMU event info array size overflow" |
|
Patch 1: "RISC-V: KVM: Fix PMU event info array size overflow" |
|
Patch 1: "RISC-V: KVM: Fix PMU event info array size overflow" |
|
Patch 1: "RISC-V: KVM: Fix PMU event info array size overflow" |
|
Patch 1: "RISC-V: KVM: Fix PMU event info array size overflow" |
|
Patch 1: "RISC-V: KVM: Fix PMU event info array size overflow" |
|
Patch 1: "RISC-V: KVM: Fix PMU event info array size overflow" |
|
Patch 1: "RISC-V: KVM: Fix PMU event info array size overflow" |
|
Patch 1: "RISC-V: KVM: Fix PMU event info array size overflow" |
PR for series 1130089 applied to workflow__riscv__fixes
Name: RISC-V: KVM: Fix PMU event info array size overflow
URL: https://patchwork.kernel.org/project/linux-riscv/list/?series=1130089
Version: 1