79a7768be7
commit 8b8e57e5096e47ca842c100c25667195017014ae upstream.
If, on a 64 bit system, a vCPU ID is provided that has the upper 32 bits
set to a non-zero value, it may get accepted if the truncated to 32 bits
integer value is below KVM_MAX_VCPU_IDS and 'max_vcpus'. This feels very
wrong and triggered the reporting logic of PaX's SIZE_OVERFLOW plugin.
Instead of silently truncating and accepting such values, pass the full
value to kvm_vm_ioctl_create_vcpu() and make the existing limit checks
return an error.
Even if this is a userland ABI breaking change, no sane userland could
have ever relied on that behaviour.
Reported-by: PaX's SIZE_OVERFLOW plugin running on grsecurity's syzkaller
Fixes:
|
||
---|---|---|
.. | ||
Kconfig | ||
Makefile.kvm | ||
async_pf.c | ||
async_pf.h | ||
binary_stats.c | ||
coalesced_mmio.c | ||
coalesced_mmio.h | ||
dirty_ring.c | ||
eventfd.c | ||
irqchip.c | ||
kvm_main.c | ||
kvm_mm.h | ||
pfncache.c | ||
vfio.c | ||
vfio.h |