mirror of
https://github.com/S3NEO/android_kernel_samsung_msm8226.git
synced 2024-11-07 03:47:13 +00:00
KVM: coalesced_mmio: add bounds checking
commit b60fe990c6b07ef6d4df67bc0530c7c90a62623a upstream.
The first/last indexes are typically shared with a user app.
The app can change the 'last' index that the kernel uses
to store the next result. This change sanity checks the index
before using it for writing to a potentially arbitrary address.
This fixes CVE-2019-14821.
Fixes: 5f94c1741b
("KVM: Add coalesced MMIO support (common part)")
Signed-off-by: Matt Delco <delco@chromium.org>
Signed-off-by: Jim Mattson <jmattson@google.com>
Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
[Use READ_ONCE. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[bwh: Backported to 3.16:
- Use ACCESS_ONCE() instead of READ_ONCE()
- kvm_coalesced_mmio_zone::pio field is not supported]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Change-Id: I9e34e14d695dc507757fa215407f0b7ac9445e2b
This commit is contained in:
parent
5e8174e74d
commit
c7aed1b745
1 changed files with 10 additions and 7 deletions
|
@ -39,7 +39,7 @@ static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev,
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
|
static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last)
|
||||||
{
|
{
|
||||||
struct kvm_coalesced_mmio_ring *ring;
|
struct kvm_coalesced_mmio_ring *ring;
|
||||||
unsigned avail;
|
unsigned avail;
|
||||||
|
@ -51,7 +51,7 @@ static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
|
||||||
* there is always one unused entry in the buffer
|
* there is always one unused entry in the buffer
|
||||||
*/
|
*/
|
||||||
ring = dev->kvm->coalesced_mmio_ring;
|
ring = dev->kvm->coalesced_mmio_ring;
|
||||||
avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX;
|
avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX;
|
||||||
if (avail == 0) {
|
if (avail == 0) {
|
||||||
/* full */
|
/* full */
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -65,24 +65,27 @@ static int coalesced_mmio_write(struct kvm_io_device *this,
|
||||||
{
|
{
|
||||||
struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
|
struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
|
||||||
struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
|
struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
|
||||||
|
__u32 insert;
|
||||||
|
|
||||||
if (!coalesced_mmio_in_range(dev, addr, len))
|
if (!coalesced_mmio_in_range(dev, addr, len))
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
|
|
||||||
spin_lock(&dev->kvm->ring_lock);
|
spin_lock(&dev->kvm->ring_lock);
|
||||||
|
|
||||||
if (!coalesced_mmio_has_room(dev)) {
|
insert = ACCESS_ONCE(ring->last);
|
||||||
|
if (!coalesced_mmio_has_room(dev, insert) ||
|
||||||
|
insert >= KVM_COALESCED_MMIO_MAX) {
|
||||||
spin_unlock(&dev->kvm->ring_lock);
|
spin_unlock(&dev->kvm->ring_lock);
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* copy data in first free entry of the ring */
|
/* copy data in first free entry of the ring */
|
||||||
|
|
||||||
ring->coalesced_mmio[ring->last].phys_addr = addr;
|
ring->coalesced_mmio[insert].phys_addr = addr;
|
||||||
ring->coalesced_mmio[ring->last].len = len;
|
ring->coalesced_mmio[insert].len = len;
|
||||||
memcpy(ring->coalesced_mmio[ring->last].data, val, len);
|
memcpy(ring->coalesced_mmio[insert].data, val, len);
|
||||||
smp_wmb();
|
smp_wmb();
|
||||||
ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX;
|
ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX;
|
||||||
spin_unlock(&dev->kvm->ring_lock);
|
spin_unlock(&dev->kvm->ring_lock);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue