Fix missing bounds-checking in coalesced_mmio (CVE-2019-14821).
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAABAgAGBQJdgje9AAoJEL/70l94x66DUbUIAK8RZGYERVA/z4sWUKAyKW+C 1n+NTKSBKlHQuqtnAJA+Ba9ylbNkVy+rp8YTNz0GFGYtWU86RLB3Xv2NbNFj04kE 8bD1O6fc6mtMkjvOP8OH2bJokPJHMfdinS2uWsduYEj+FPQhUSBbtN4AZQX9yK60 fd2L5LRGdIa+ZUbKuGytm0ZDhsfTRdk9rc+FqR7iMqd1mpjit+NSQC2eVWCQFFtt II2KX7DgnogCaidAMhKmZZQsHrBJ+m7+OcnnzsXiTePzySOAYz4j1rJfVBC2S2M4 jeVqSZeofdHmAWbZv55Cuc3mTAe7hPWYRTQNbPm/rWTdBGZKF619+GZpAWb+BDk= =dbXn -----END PGP SIGNATURE----- Merge tag 'for-linus-urgent' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull KVM fix from Paolo Bonzini: "Fix missing bounds-checking in coalesced_mmio (CVE-2019-14821)" * tag 'for-linus-urgent' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: coalesced_mmio: add bounds checking
This commit is contained in:
commit
404e634fdb
|
@ -40,7 +40,7 @@ static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev,
|
|||
return 1;
|
||||
}
|
||||
|
||||
static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
|
||||
static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last)
|
||||
{
|
||||
struct kvm_coalesced_mmio_ring *ring;
|
||||
unsigned avail;
|
||||
|
@ -52,7 +52,7 @@ static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
|
|||
* there is always one unused entry in the buffer
|
||||
*/
|
||||
ring = dev->kvm->coalesced_mmio_ring;
|
||||
avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX;
|
||||
avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX;
|
||||
if (avail == 0) {
|
||||
/* full */
|
||||
return 0;
|
||||
|
@ -67,25 +67,28 @@ static int coalesced_mmio_write(struct kvm_vcpu *vcpu,
|
|||
{
|
||||
struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
|
||||
struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
|
||||
__u32 insert;
|
||||
|
||||
if (!coalesced_mmio_in_range(dev, addr, len))
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
spin_lock(&dev->kvm->ring_lock);
|
||||
|
||||
if (!coalesced_mmio_has_room(dev)) {
|
||||
insert = READ_ONCE(ring->last);
|
||||
if (!coalesced_mmio_has_room(dev, insert) ||
|
||||
insert >= KVM_COALESCED_MMIO_MAX) {
|
||||
spin_unlock(&dev->kvm->ring_lock);
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
/* copy data in first free entry of the ring */
|
||||
|
||||
ring->coalesced_mmio[ring->last].phys_addr = addr;
|
||||
ring->coalesced_mmio[ring->last].len = len;
|
||||
memcpy(ring->coalesced_mmio[ring->last].data, val, len);
|
||||
ring->coalesced_mmio[ring->last].pio = dev->zone.pio;
|
||||
ring->coalesced_mmio[insert].phys_addr = addr;
|
||||
ring->coalesced_mmio[insert].len = len;
|
||||
memcpy(ring->coalesced_mmio[insert].data, val, len);
|
||||
ring->coalesced_mmio[insert].pio = dev->zone.pio;
|
||||
smp_wmb();
|
||||
ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX;
|
||||
ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX;
|
||||
spin_unlock(&dev->kvm->ring_lock);
|
||||
return 0;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue