nagai/kernel
3
0
Fork 0
forked from mirrors/linux
Code Pull requests Activity

KVM: validate userspace input in kvm_clear_dirty_log_protect()

Browse source 
The function at issue does not fully validate the content of the
structure pointed by the log parameter, though its content has just been
copied from userspace and lacks validation. Fix that.

Moreover, change the type of n to unsigned long as that is the type
returned by kvm_dirty_bitmap_bytes().

Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+028366e52c9ace67deb3@syzkaller.appspotmail.com
[Squashed the fix from Paolo. - Radim.]
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
This commit is contained in:
Tomas Bortoli 2019-01-02 18:29:37 +01:00 committed by Radim Krčmář
parent d14eff1bc5
commit 98938aa8ed
1 changed files with 7 additions and 2 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

9
virt/kvm/kvm_main.c
View file

@ -1227,9 +1227,9 @@ int kvm_clear_dirty_log_protect(struct kvm *kvm,
{ {
struct kvm_memslots *slots; struct kvm_memslots *slots;
struct kvm_memory_slot *memslot; struct kvm_memory_slot *memslot;
int as_id, id, n; int as_id, id;
gfn_t offset; gfn_t offset;
unsigned long i; unsigned long i, n;
unsigned long *dirty_bitmap; unsigned long *dirty_bitmap;
unsigned long *dirty_bitmap_buffer; unsigned long *dirty_bitmap_buffer;
@ -1249,6 +1249,11 @@ int kvm_clear_dirty_log_protect(struct kvm *kvm,
return -ENOENT; return -ENOENT;
n = kvm_dirty_bitmap_bytes(memslot); n = kvm_dirty_bitmap_bytes(memslot);
if (log->first_page > memslot->npages ||
log->num_pages > memslot->npages - log->first_page)
return -EINVAL;
*flush = false; *flush = false;
dirty_bitmap_buffer = kvm_second_dirty_bitmap(memslot); dirty_bitmap_buffer = kvm_second_dirty_bitmap(memslot);
if (copy_from_user(dirty_bitmap_buffer, log->dirty_bitmap, n)) if (copy_from_user(dirty_bitmap_buffer, log->dirty_bitmap, n))