* how to report kvm bug?
@ 2017-05-18 6:51 Moguofang (Dennis mo)
2017-05-18 7:19 ` Wanpeng Li
0 siblings, 1 reply; 10+ messages in thread
From: Moguofang (Dennis mo) @ 2017-05-18 6:51 UTC (permalink / raw)
To: kvm; +Cc: Zhouyu (Axis Zhou, ICSL)
Hello!
I found an out-of-bounds read bug in kvm kernel pio functions, how to report the bug?
Kind regards
moguofang
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: how to report kvm bug?
2017-05-18 6:51 how to report kvm bug? Moguofang (Dennis mo)
@ 2017-05-18 7:19 ` Wanpeng Li
[not found] ` <CC01CF939DBB24468C9944BB5AB21407E5690744@DGGEMM527-MBX.china.huawei.com>
[not found] ` <CC01CF939DBB24468C9944BB5AB21407E569E832@DGGEMM527-MBX.china.huawei.com>
0 siblings, 2 replies; 10+ messages in thread
From: Wanpeng Li @ 2017-05-18 7:19 UTC (permalink / raw)
To: Moguofang (Dennis mo); +Cc: kvm, Zhouyu (Axis Zhou, ICSL)
2017-05-18 14:51 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
> Hello!
> I found an out-of-bounds read bug in kvm kernel pio functions, how to report the bug?
You can post it here.
Regards,
Wanpeng Li
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: 答复: how to report kvm bug?
[not found] ` <CC01CF939DBB24468C9944BB5AB21407E5690744@DGGEMM527-MBX.china.huawei.com>
@ 2017-05-18 10:48 ` Wanpeng Li
2017-05-19 1:33 ` 答复: " Moguofang (Dennis mo)
0 siblings, 1 reply; 10+ messages in thread
From: Wanpeng Li @ 2017-05-18 10:48 UTC (permalink / raw)
To: Moguofang (Dennis mo); +Cc: kvm, Zhouyu (Axis Zhou, ICSL)
2017-05-18 15:25 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
>
>
> -----邮件原件-----
> 发件人: Wanpeng Li [mailto:kernellwp@gmail.com]
> 发送时间: 2017年5月18日 15:19
> 收件人: Moguofang (Dennis mo)
> 抄送: kvm@vger.kernel.org; Zhouyu (Axis Zhou, ICSL)
> 主题: Re: how to report kvm bug?
>
> 2017-05-18 14:51 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
>> Hello!
>> I found an out-of-bounds read bug in kvm kernel pio functions, how to report the bug?
>
I just figure it out and will send out a patch soon.
Regards,
Wanpeng Li
^ permalink raw reply [flat|nested] 10+ messages in thread
* 答复: 答复: how to report kvm bug?
2017-05-18 10:48 ` 答复: " Wanpeng Li
@ 2017-05-19 1:33 ` Moguofang (Dennis mo)
2017-05-19 9:48 ` Wanpeng Li
0 siblings, 1 reply; 10+ messages in thread
From: Moguofang (Dennis mo) @ 2017-05-19 1:33 UTC (permalink / raw)
To: Wanpeng Li; +Cc: kvm, Zhouyu (Axis Zhou, ICSL)
Will you still need the C program or not? When the patch release?
-----邮件原件-----
发件人: Wanpeng Li [mailto:kernellwp@gmail.com]
发送时间: 2017年5月18日 18:49
收件人: Moguofang (Dennis mo)
抄送: kvm@vger.kernel.org; Zhouyu (Axis Zhou, ICSL)
主题: Re: 答复: how to report kvm bug?
2017-05-18 15:25 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
>
>
> -----邮件原件-----
> 发件人: Wanpeng Li [mailto:kernellwp@gmail.com]
> 发送时间: 2017年5月18日 15:19
> 收件人: Moguofang (Dennis mo)
> 抄送: kvm@vger.kernel.org; Zhouyu (Axis Zhou, ICSL)
> 主题: Re: how to report kvm bug?
>
> 2017-05-18 14:51 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
>> Hello!
>> I found an out-of-bounds read bug in kvm kernel pio functions, how to report the bug?
>
I just figure it out and will send out a patch soon.
Regards,
Wanpeng Li
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: 答复: 答复: how to report kvm bug?
2017-05-19 1:33 ` 答复: " Moguofang (Dennis mo)
@ 2017-05-19 9:48 ` Wanpeng Li
0 siblings, 0 replies; 10+ messages in thread
From: Wanpeng Li @ 2017-05-19 9:48 UTC (permalink / raw)
To: Moguofang (Dennis mo); +Cc: kvm, Zhouyu (Axis Zhou, ICSL)
2017-05-19 9:33 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
> Will you still need the C program or not? When the patch release?
I just send out the patch w/ a similar test cast, please have a try.
Regards,
Wanpeng Li
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: KVM vulnerability report about cpuid instruction
[not found] ` <CC01CF939DBB24468C9944BB5AB21407E569E832@DGGEMM527-MBX.china.huawei.com>
@ 2017-06-07 7:18 ` Wanpeng Li
2017-06-07 8:31 ` Wanpeng Li
1 sibling, 0 replies; 10+ messages in thread
From: Wanpeng Li @ 2017-06-07 7:18 UTC (permalink / raw)
To: Moguofang (Dennis mo); +Cc: kvm, Zhouyu (Axis Zhou, ICSL)
2017-06-07 15:09 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
> Hello!
> A new vulnerability discover by me.
Thanks for the report, I will have a look.
Regards,
Wanpeng Li
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: KVM vulnerability report about cpuid instruction
[not found] ` <CC01CF939DBB24468C9944BB5AB21407E569E832@DGGEMM527-MBX.china.huawei.com>
2017-06-07 7:18 ` KVM vulnerability report about cpuid instruction Wanpeng Li
@ 2017-06-07 8:31 ` Wanpeng Li
2017-06-07 9:14 ` 答复: " Moguofang (Dennis mo)
1 sibling, 1 reply; 10+ messages in thread
From: Wanpeng Li @ 2017-06-07 8:31 UTC (permalink / raw)
To: Moguofang (Dennis mo); +Cc: kvm, Zhouyu (Axis Zhou, ICSL)
2017-06-07 15:09 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
> Hello!
> A new vulnerability discover by me.
Could you test something like this?
--------------------------->8-------------------------------------------------------------
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index a181ae7..b927a42 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -779,19 +779,20 @@ int kvm_dev_ioctl_get_cpuid(struct kvm_cpuid2 *cpuid,
static int move_to_next_stateful_cpuid_entry(struct kvm_vcpu *vcpu, int i)
{
+ int j = i, nent = vcpu->arch.cpuid_nent;
struct kvm_cpuid_entry2 *e = &vcpu->arch.cpuid_entries[i];
- int j, nent = vcpu->arch.cpuid_nent;
+ struct kvm_cpuid_entry2 *ej;
e->flags &= ~KVM_CPUID_FLAG_STATE_READ_NEXT;
/* when no next entry is found, the current entry[i] is reselected */
- for (j = i + 1; ; j = (j + 1) % nent) {
- struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j];
- if (ej->function == e->function) {
- ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT;
- return j;
- }
- }
- return 0; /* silence gcc, even though control never reaches here */
+ do {
+ j = (j + 1) % nent;
+ ej = &vcpu->arch.cpuid_entries[j];
+ } while(ej->function != e->function);
+
+ ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT;
+
+ return j;
}
/* find an entry with matching function, matching index (if needed), and that
^ permalink raw reply related [flat|nested] 10+ messages in thread
* 答复: KVM vulnerability report about cpuid instruction
2017-06-07 8:31 ` Wanpeng Li
@ 2017-06-07 9:14 ` Moguofang (Dennis mo)
2017-06-07 9:54 ` Wanpeng Li
0 siblings, 1 reply; 10+ messages in thread
From: Moguofang (Dennis mo) @ 2017-06-07 9:14 UTC (permalink / raw)
To: Wanpeng Li; +Cc: kvm, Zhouyu (Axis Zhou, ICSL)
the patch fixed the oob vulnerability when i = 79, but maybe the patch introduces an infinite loop, if i = 79, then j = 0, the do-while loop use cpuid_entries[0-78] to compare cpuid_entries[79], maybe fall into infinite loop.
Kind regards
moguofang
-----邮件原件-----
发件人: Wanpeng Li [mailto:kernellwp@gmail.com]
发送时间: 2017年6月7日 16:32
收件人: Moguofang (Dennis mo)
抄送: kvm@vger.kernel.org; Zhouyu (Axis Zhou, ICSL)
主题: Re: KVM vulnerability report about cpuid instruction
2017-06-07 15:09 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
> Hello!
> A new vulnerability discover by me.
Could you test something like this?
--------------------------->8-------------------------------------------
--------------------------->------------------
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index a181ae7..b927a42 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -779,19 +779,20 @@ int kvm_dev_ioctl_get_cpuid(struct kvm_cpuid2 *cpuid,
static int move_to_next_stateful_cpuid_entry(struct kvm_vcpu *vcpu, int i) {
+ int j = i, nent = vcpu->arch.cpuid_nent;
struct kvm_cpuid_entry2 *e = &vcpu->arch.cpuid_entries[i];
- int j, nent = vcpu->arch.cpuid_nent;
+ struct kvm_cpuid_entry2 *ej;
e->flags &= ~KVM_CPUID_FLAG_STATE_READ_NEXT;
/* when no next entry is found, the current entry[i] is reselected */
- for (j = i + 1; ; j = (j + 1) % nent) {
- struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j];
- if (ej->function == e->function) {
- ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT;
- return j;
- }
- }
- return 0; /* silence gcc, even though control never reaches here */
+ do {
+ j = (j + 1) % nent;
+ ej = &vcpu->arch.cpuid_entries[j];
+ } while(ej->function != e->function);
+
+ ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT;
+
+ return j;
}
/* find an entry with matching function, matching index (if needed), and that
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: 答复: KVM vulnerability report about cpuid instruction
2017-06-07 9:14 ` 答复: " Moguofang (Dennis mo)
@ 2017-06-07 9:54 ` Wanpeng Li
2017-06-07 10:37 ` Wanpeng Li
0 siblings, 1 reply; 10+ messages in thread
From: Wanpeng Li @ 2017-06-07 9:54 UTC (permalink / raw)
To: Moguofang (Dennis mo); +Cc: kvm, Zhouyu (Axis Zhou, ICSL)
2017-06-07 17:14 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
> the patch fixed the oob vulnerability when i = 79, but maybe the patch introduces an infinite loop, if i = 79, then j = 0, the do-while loop use cpuid_entries[0-78] to compare cpuid_entries[79], maybe fall into infinite loop.
It will not happen, if i == j, then ej->function == e->function and
for loop exit.
Anyway, another method is:
- for (j = i + 1; ; j = (j + 1) % nent) {
+ for (j = (i + 1) % nent; ; j = (j + 1) % nent) {
Regards,
Wanpeng Li
>
> Kind regards
> moguofang
>
> -----邮件原件-----
> 发件人: Wanpeng Li [mailto:kernellwp@gmail.com]
> 发送时间: 2017年6月7日 16:32
> 收件人: Moguofang (Dennis mo)
> 抄送: kvm@vger.kernel.org; Zhouyu (Axis Zhou, ICSL)
> 主题: Re: KVM vulnerability report about cpuid instruction
>
> 2017-06-07 15:09 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
>> Hello!
>> A new vulnerability discover by me.
>
> Could you test something like this?
>
> --------------------------->8-------------------------------------------
> --------------------------->------------------
>
> Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
>
> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index a181ae7..b927a42 100644
> --- a/arch/x86/kvm/cpuid.c
> +++ b/arch/x86/kvm/cpuid.c
> @@ -779,19 +779,20 @@ int kvm_dev_ioctl_get_cpuid(struct kvm_cpuid2 *cpuid,
>
> static int move_to_next_stateful_cpuid_entry(struct kvm_vcpu *vcpu, int i) {
> + int j = i, nent = vcpu->arch.cpuid_nent;
> struct kvm_cpuid_entry2 *e = &vcpu->arch.cpuid_entries[i];
> - int j, nent = vcpu->arch.cpuid_nent;
> + struct kvm_cpuid_entry2 *ej;
>
> e->flags &= ~KVM_CPUID_FLAG_STATE_READ_NEXT;
> /* when no next entry is found, the current entry[i] is reselected */
> - for (j = i + 1; ; j = (j + 1) % nent) {
> - struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j];
> - if (ej->function == e->function) {
> - ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT;
> - return j;
> - }
> - }
> - return 0; /* silence gcc, even though control never reaches here */
> + do {
> + j = (j + 1) % nent;
> + ej = &vcpu->arch.cpuid_entries[j];
> + } while(ej->function != e->function);
> +
> + ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT;
> +
> + return j;
> }
>
> /* find an entry with matching function, matching index (if needed), and that
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: 答复: KVM vulnerability report about cpuid instruction
2017-06-07 9:54 ` Wanpeng Li
@ 2017-06-07 10:37 ` Wanpeng Li
0 siblings, 0 replies; 10+ messages in thread
From: Wanpeng Li @ 2017-06-07 10:37 UTC (permalink / raw)
To: Paolo Bonzini; +Cc: kvm, Zhouyu (Axis Zhou, ICSL), Moguofang (Dennis mo)
2017-06-07 17:54 GMT+08:00 Wanpeng Li <kernellwp@gmail.com>:
> 2017-06-07 17:14 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
>> the patch fixed the oob vulnerability when i = 79, but maybe the patch introduces an infinite loop, if i = 79, then j = 0, the do-while loop use cpuid_entries[0-78] to compare cpuid_entries[79], maybe fall into infinite loop.
>
> It will not happen, if i == j, then ej->function == e->function and
> for loop exit.
>
> Anyway, another method is:
>
> - for (j = i + 1; ; j = (j + 1) % nent) {
> + for (j = (i + 1) % nent; ; j = (j + 1) % nent) {
Paolo, which one do you prefer?
Regards,
Wanpeng Li
>>
>> Kind regards
>> moguofang
>>
>> -----邮件原件-----
>> 发件人: Wanpeng Li [mailto:kernellwp@gmail.com]
>> 发送时间: 2017年6月7日 16:32
>> 收件人: Moguofang (Dennis mo)
>> 抄送: kvm@vger.kernel.org; Zhouyu (Axis Zhou, ICSL)
>> 主题: Re: KVM vulnerability report about cpuid instruction
>>
>> 2017-06-07 15:09 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
>>> Hello!
>>> A new vulnerability discover by me.
>>
>> Could you test something like this?
>>
>> --------------------------->8-------------------------------------------
>> --------------------------->------------------
>>
>> Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
>>
>> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index a181ae7..b927a42 100644
>> --- a/arch/x86/kvm/cpuid.c
>> +++ b/arch/x86/kvm/cpuid.c
>> @@ -779,19 +779,20 @@ int kvm_dev_ioctl_get_cpuid(struct kvm_cpuid2 *cpuid,
>>
>> static int move_to_next_stateful_cpuid_entry(struct kvm_vcpu *vcpu, int i) {
>> + int j = i, nent = vcpu->arch.cpuid_nent;
>> struct kvm_cpuid_entry2 *e = &vcpu->arch.cpuid_entries[i];
>> - int j, nent = vcpu->arch.cpuid_nent;
>> + struct kvm_cpuid_entry2 *ej;
>>
>> e->flags &= ~KVM_CPUID_FLAG_STATE_READ_NEXT;
>> /* when no next entry is found, the current entry[i] is reselected */
>> - for (j = i + 1; ; j = (j + 1) % nent) {
>> - struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j];
>> - if (ej->function == e->function) {
>> - ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT;
>> - return j;
>> - }
>> - }
>> - return 0; /* silence gcc, even though control never reaches here */
>> + do {
>> + j = (j + 1) % nent;
>> + ej = &vcpu->arch.cpuid_entries[j];
>> + } while(ej->function != e->function);
>> +
>> + ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT;
>> +
>> + return j;
>> }
>>
>> /* find an entry with matching function, matching index (if needed), and that
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2017-06-07 10:37 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-18 6:51 how to report kvm bug? Moguofang (Dennis mo)
2017-05-18 7:19 ` Wanpeng Li
[not found] ` <CC01CF939DBB24468C9944BB5AB21407E5690744@DGGEMM527-MBX.china.huawei.com>
2017-05-18 10:48 ` 答复: " Wanpeng Li
2017-05-19 1:33 ` 答复: " Moguofang (Dennis mo)
2017-05-19 9:48 ` Wanpeng Li
[not found] ` <CC01CF939DBB24468C9944BB5AB21407E569E832@DGGEMM527-MBX.china.huawei.com>
2017-06-07 7:18 ` KVM vulnerability report about cpuid instruction Wanpeng Li
2017-06-07 8:31 ` Wanpeng Li
2017-06-07 9:14 ` 答复: " Moguofang (Dennis mo)
2017-06-07 9:54 ` Wanpeng Li
2017-06-07 10:37 ` Wanpeng Li
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.