* [PATCH 2/4] CVE-2016-9777: KVM: x86: fix out-of-bounds accesses of rtc_eoi map
[not found] <1568712761-11089-1-git-send-email-liuyun01@kylinos.cn>
@ 2019-09-17 9:32 ` Jackie Liu
2019-09-17 9:34 ` Jackie Liu
2019-09-17 9:32 ` [PATCH 3/4] CVE-2018-20855: IB/mlx5: Fix leaking stack memory to userspace Jackie Liu
1 sibling, 1 reply; 4+ messages in thread
From: Jackie Liu @ 2019-09-17 9:32 UTC (permalink / raw)
To: wangqi; +Cc: nh, Radim Krčmář, stable, Jackie Liu
From: Radim Krčmář <rkrcmar@redhat.com>
KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be
bigger that the maximal number of VCPUs, resulting in out-of-bounds
access.
Found by syzkaller:
BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr [...]
Write of size 1 by task a.out/27101
CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[...]
Call Trace:
[...] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905
[...] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495
[...] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86
[...] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360
[...] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222
[...] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235
[...] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670
[...] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668
[...] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999
[...] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3099
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Fixes: af1bae5497b9 ("KVM: x86: bump KVM_MAX_VCPU_ID to 1023")
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
---
arch/x86/kvm/ioapic.c | 2 +-
arch/x86/kvm/ioapic.h | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
index ec62df3..d25cbac 100644
--- a/arch/x86/kvm/ioapic.c
+++ b/arch/x86/kvm/ioapic.c
@@ -94,7 +94,7 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic,
static void rtc_irq_eoi_tracking_reset(struct kvm_ioapic *ioapic)
{
ioapic->rtc_status.pending_eoi = 0;
- bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPUS);
+ bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID);
}
static void kvm_rtc_eoi_tracking_restore_all(struct kvm_ioapic *ioapic);
diff --git a/arch/x86/kvm/ioapic.h b/arch/x86/kvm/ioapic.h
index 7d2692a..1cc6e54 100644
--- a/arch/x86/kvm/ioapic.h
+++ b/arch/x86/kvm/ioapic.h
@@ -42,13 +42,13 @@ struct kvm_vcpu;
struct dest_map {
/* vcpu bitmap where IRQ has been sent */
- DECLARE_BITMAP(map, KVM_MAX_VCPUS);
+ DECLARE_BITMAP(map, KVM_MAX_VCPU_ID);
/*
* Vector sent to a given vcpu, only valid when
* the vcpu's bit in map is set
*/
- u8 vectors[KVM_MAX_VCPUS];
+ u8 vectors[KVM_MAX_VCPU_ID];
};
--
2.7.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 3/4] CVE-2018-20855: IB/mlx5: Fix leaking stack memory to userspace
[not found] <1568712761-11089-1-git-send-email-liuyun01@kylinos.cn>
2019-09-17 9:32 ` [PATCH 2/4] CVE-2016-9777: KVM: x86: fix out-of-bounds accesses of rtc_eoi map Jackie Liu
@ 2019-09-17 9:32 ` Jackie Liu
2019-09-17 9:34 ` Jackie Liu
1 sibling, 1 reply; 4+ messages in thread
From: Jackie Liu @ 2019-09-17 9:32 UTC (permalink / raw)
To: wangqi; +Cc: nh, Jason Gunthorpe, stable, Jackie Liu
From: Jason Gunthorpe <jgg@mellanox.com>
mlx5_ib_create_qp_resp was never initialized and only the first 4 bytes
were written.
Fixes: 41d902cb7c32 ("RDMA/mlx5: Fix definition of mlx5_ib_create_qp_resp")
Cc: <stable@vger.kernel.org>
Acked-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
---
drivers/infiniband/hw/mlx5/qp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index cfcfbb6..359d41e 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -861,7 +861,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
{
struct mlx5_ib_resources *devr = &dev->devr;
struct mlx5_core_dev *mdev = dev->mdev;
- struct mlx5_ib_create_qp_resp resp;
+ struct mlx5_ib_create_qp_resp resp = {};
struct mlx5_create_qp_mbox_in *in;
struct mlx5_ib_create_qp ucmd;
int inlen = sizeof(*in);
--
2.7.4
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 3/4] CVE-2018-20855: IB/mlx5: Fix leaking stack memory to userspace
2019-09-17 9:32 ` [PATCH 3/4] CVE-2018-20855: IB/mlx5: Fix leaking stack memory to userspace Jackie Liu
@ 2019-09-17 9:34 ` Jackie Liu
0 siblings, 0 replies; 4+ messages in thread
From: Jackie Liu @ 2019-09-17 9:34 UTC (permalink / raw)
To: 王琦; +Cc: nh, Jason Gunthorpe, stable
> 在 2019年9月17日,17:32,Jackie Liu <liuyun01@kylinos.cn> 写道:
>
> From: Jason Gunthorpe <jgg@mellanox.com>
>
> mlx5_ib_create_qp_resp was never initialized and only the first 4 bytes
> were written.
>
> Fixes: 41d902cb7c32 ("RDMA/mlx5: Fix definition of mlx5_ib_create_qp_resp")
> Cc: <stable@vger.kernel.org>
> Acked-by: Leon Romanovsky <leonro@mellanox.com>
> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
> Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
> ---
> drivers/infiniband/hw/mlx5/qp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
> index cfcfbb6..359d41e 100644
> --- a/drivers/infiniband/hw/mlx5/qp.c
> +++ b/drivers/infiniband/hw/mlx5/qp.c
> @@ -861,7 +861,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
> {
> struct mlx5_ib_resources *devr = &dev->devr;
> struct mlx5_core_dev *mdev = dev->mdev;
> - struct mlx5_ib_create_qp_resp resp;
> + struct mlx5_ib_create_qp_resp resp = {};
> struct mlx5_create_qp_mbox_in *in;
> struct mlx5_ib_create_qp ucmd;
> int inlen = sizeof(*in);
> --
> 2.7.4
>
Sorry for noise, please ignore.
--
BR, Jackie Liu
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/4] CVE-2016-9777: KVM: x86: fix out-of-bounds accesses of rtc_eoi map
2019-09-17 9:32 ` [PATCH 2/4] CVE-2016-9777: KVM: x86: fix out-of-bounds accesses of rtc_eoi map Jackie Liu
@ 2019-09-17 9:34 ` Jackie Liu
0 siblings, 0 replies; 4+ messages in thread
From: Jackie Liu @ 2019-09-17 9:34 UTC (permalink / raw)
To: 王琦; +Cc: nh, Radim Krčmář, stable
Sorry for noise, please ignore.
> 在 2019年9月17日,17:32,Jackie Liu <liuyun01@kylinos.cn> 写道:
>
> From: Radim Krčmář <rkrcmar@redhat.com>
>
> KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be
> bigger that the maximal number of VCPUs, resulting in out-of-bounds
> access.
>
> Found by syzkaller:
>
> BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr [...]
> Write of size 1 by task a.out/27101
> CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> [...]
> Call Trace:
> [...] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905
> [...] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495
> [...] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86
> [...] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360
> [...] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222
> [...] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235
> [...] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670
> [...] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668
> [...] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999
> [...] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3099
>
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Cc: stable@vger.kernel.org
> Fixes: af1bae5497b9 ("KVM: x86: bump KVM_MAX_VCPU_ID to 1023")
> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
> Reviewed-by: David Hildenbrand <david@redhat.com>
> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
> Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
> ---
> arch/x86/kvm/ioapic.c | 2 +-
> arch/x86/kvm/ioapic.h | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
> index ec62df3..d25cbac 100644
> --- a/arch/x86/kvm/ioapic.c
> +++ b/arch/x86/kvm/ioapic.c
> @@ -94,7 +94,7 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic,
> static void rtc_irq_eoi_tracking_reset(struct kvm_ioapic *ioapic)
> {
> ioapic->rtc_status.pending_eoi = 0;
> - bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPUS);
> + bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID);
> }
>
> static void kvm_rtc_eoi_tracking_restore_all(struct kvm_ioapic *ioapic);
> diff --git a/arch/x86/kvm/ioapic.h b/arch/x86/kvm/ioapic.h
> index 7d2692a..1cc6e54 100644
> --- a/arch/x86/kvm/ioapic.h
> +++ b/arch/x86/kvm/ioapic.h
> @@ -42,13 +42,13 @@ struct kvm_vcpu;
>
> struct dest_map {
> /* vcpu bitmap where IRQ has been sent */
> - DECLARE_BITMAP(map, KVM_MAX_VCPUS);
> + DECLARE_BITMAP(map, KVM_MAX_VCPU_ID);
>
> /*
> * Vector sent to a given vcpu, only valid when
> * the vcpu's bit in map is set
> */
> - u8 vectors[KVM_MAX_VCPUS];
> + u8 vectors[KVM_MAX_VCPU_ID];
> };
>
>
> --
> 2.7.4
>
--
BR, Jackie Liu
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-09-17 9:45 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <1568712761-11089-1-git-send-email-liuyun01@kylinos.cn>
2019-09-17 9:32 ` [PATCH 2/4] CVE-2016-9777: KVM: x86: fix out-of-bounds accesses of rtc_eoi map Jackie Liu
2019-09-17 9:34 ` Jackie Liu
2019-09-17 9:32 ` [PATCH 3/4] CVE-2018-20855: IB/mlx5: Fix leaking stack memory to userspace Jackie Liu
2019-09-17 9:34 ` Jackie Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).