• Wanpeng Li's avatar
    KVM: LAPIC: Fix pv ipis out-of-bounds access · bdf7ffc8
    Wanpeng Li authored
    Dan Carpenter reported that the untrusted data returns from kvm_register_read()
    results in the following static checker warning:
      arch/x86/kvm/lapic.c:576 kvm_pv_send_ipi()
      error: buffer underflow 'map->phys_map' 's32min-s32max'
    
    KVM guest can easily trigger this by executing the following assembly sequence
    in Ring0:
    
    mov $10, %rax
    mov $0xFFFFFFFF, %rbx
    mov $0xFFFFFFFF, %rdx
    mov $0, %rsi
    vmcall
    
    As this will cause KVM to execute the following code-path:
    vmx_handle_exit() -> handle_vmcall() -> kvm_emulate_hypercall() -> kvm_pv_send_ipi()
    which will reach out-of-bounds access.
    
    This patch fixes it by adding a check to kvm_pv_send_ipi() against map->max_apic_id,
    ignoring destinations that are not present and delivering the rest. We also check
    whether or not map->phys_map[min + i] is NULL since the max_apic_id is set to the
    max apic id, some phys_map maybe NULL when apic id is sparse, especially kvm
    unconditionally set max_apic_id to 255 to reserve enough space for any xAPIC ID.
    Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
    Reviewed-by: default avatarLiran Alon <liran.alon@oracle.com>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Cc: Radim Krčmář <rkrcmar@redhat.com>
    Cc: Liran Alon <liran.alon@oracle.com>
    Cc: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: default avatarWanpeng Li <wanpengli@tencent.com>
    [Add second "if (min > map->max_apic_id)" to complete the fix. -Radim]
    Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
    bdf7ffc8
lapic.c 67 KB