[PATCH 2/4] CVE-2016-9777: KVM: x86: fix out-of-bounds accesses of rtc_eoi map

[PATCH 2/4] CVE-2016-9777: KVM: x86: fix out-of-bounds accesses of rtc_eoi map

[Jackie Liu]

From: Radim Krčmář <rkrcmar@redhat.com>

KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be
bigger that the maximal number of VCPUs, resulting in out-of-bounds
access.

Found by syzkaller:

  BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr [...]
  Write of size 1 by task a.out/27101
  CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
   [...]
  Call Trace:
   [...] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905
   [...] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495
   [...] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86
   [...] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360
   [...] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222
   [...] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235
   [...] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670
   [...] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668
   [...] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999
   [...] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3099

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Fixes: af1bae5497b9 ("KVM: x86: bump KVM_MAX_VCPU_ID to 1023")
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
---
 arch/x86/kvm/ioapic.c | 2 +-
 arch/x86/kvm/ioapic.h | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
index ec62df3..d25cbac 100644
--- a/arch/x86/kvm/ioapic.c
+++ b/arch/x86/kvm/ioapic.c
@@ -94,7 +94,7 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic,
 static void rtc_irq_eoi_tracking_reset(struct kvm_ioapic *ioapic)
 {
 	ioapic->rtc_status.pending_eoi = 0;
-	bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPUS);
+	bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID);
 }
 
 static void kvm_rtc_eoi_tracking_restore_all(struct kvm_ioapic *ioapic);
diff --git a/arch/x86/kvm/ioapic.h b/arch/x86/kvm/ioapic.h
index 7d2692a..1cc6e54 100644
--- a/arch/x86/kvm/ioapic.h
+++ b/arch/x86/kvm/ioapic.h
@@ -42,13 +42,13 @@ struct kvm_vcpu;
 
 struct dest_map {
 	/* vcpu bitmap where IRQ has been sent */
-	DECLARE_BITMAP(map, KVM_MAX_VCPUS);
+	DECLARE_BITMAP(map, KVM_MAX_VCPU_ID);
 
 	/*
 	 * Vector sent to a given vcpu, only valid when
 	 * the vcpu's bit in map is set
 	 */
-	u8 vectors[KVM_MAX_VCPUS];
+	u8 vectors[KVM_MAX_VCPU_ID];
 };
 
 
-- 
2.7.4

[PATCH 3/4] CVE-2018-20855: IB/mlx5: Fix leaking stack memory to userspace

[Jackie Liu]

From: Jason Gunthorpe <jgg@mellanox.com>

mlx5_ib_create_qp_resp was never initialized and only the first 4 bytes
were written.

Fixes: 41d902cb7c32 ("RDMA/mlx5: Fix definition of mlx5_ib_create_qp_resp")
Cc: <stable@vger.kernel.org>
Acked-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
---
 drivers/infiniband/hw/mlx5/qp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index cfcfbb6..359d41e 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -861,7 +861,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
 {
 	struct mlx5_ib_resources *devr = &dev->devr;
 	struct mlx5_core_dev *mdev = dev->mdev;
-	struct mlx5_ib_create_qp_resp resp;
+	struct mlx5_ib_create_qp_resp resp = {};
 	struct mlx5_create_qp_mbox_in *in;
 	struct mlx5_ib_create_qp ucmd;
 	int inlen = sizeof(*in);
-- 
2.7.4

Re: [PATCH 3/4] CVE-2018-20855: IB/mlx5: Fix leaking stack memory to userspace

[Jackie Liu]

> 在 2019年9月17日，17:32，Jackie Liu <liuyun01@kylinos.cn> 写道：
> 
> From: Jason Gunthorpe <jgg@mellanox.com>
> 
> mlx5_ib_create_qp_resp was never initialized and only the first 4 bytes
> were written.
> 
> Fixes: 41d902cb7c32 ("RDMA/mlx5: Fix definition of mlx5_ib_create_qp_resp")
> Cc: <stable@vger.kernel.org>
> Acked-by: Leon Romanovsky <leonro@mellanox.com>
> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
> Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
> ---
> drivers/infiniband/hw/mlx5/qp.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
> index cfcfbb6..359d41e 100644
> --- a/drivers/infiniband/hw/mlx5/qp.c
> +++ b/drivers/infiniband/hw/mlx5/qp.c
> @@ -861,7 +861,7 @@ static int create_qp_common(struct mlx5_ib_dev *dev, struct ib_pd *pd,
> {
> 	struct mlx5_ib_resources *devr = &dev->devr;
> 	struct mlx5_core_dev *mdev = dev->mdev;
> -	struct mlx5_ib_create_qp_resp resp;
> +	struct mlx5_ib_create_qp_resp resp = {};
> 	struct mlx5_create_qp_mbox_in *in;
> 	struct mlx5_ib_create_qp ucmd;
> 	int inlen = sizeof(*in);
> -- 
> 2.7.4
> 

Sorry for noise, please ignore.

--
BR, Jackie Liu

Re: [PATCH 2/4] CVE-2016-9777: KVM: x86: fix out-of-bounds accesses of rtc_eoi map

[Jackie Liu]

Sorry for noise, please ignore.

> 在 2019年9月17日，17:32，Jackie Liu <liuyun01@kylinos.cn> 写道：
> 
> From: Radim Krčmář <rkrcmar@redhat.com>
> 
> KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be
> bigger that the maximal number of VCPUs, resulting in out-of-bounds
> access.
> 
> Found by syzkaller:
> 
>  BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr [...]
>  Write of size 1 by task a.out/27101
>  CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49
>  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>   [...]
>  Call Trace:
>   [...] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905
>   [...] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495
>   [...] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86
>   [...] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360
>   [...] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222
>   [...] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235
>   [...] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670
>   [...] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668
>   [...] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999
>   [...] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3099
> 
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Cc: stable@vger.kernel.org
> Fixes: af1bae5497b9 ("KVM: x86: bump KVM_MAX_VCPU_ID to 1023")
> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
> Reviewed-by: David Hildenbrand <david@redhat.com>
> Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
> Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
> ---
> arch/x86/kvm/ioapic.c | 2 +-
> arch/x86/kvm/ioapic.h | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/arch/x86/kvm/ioapic.c b/arch/x86/kvm/ioapic.c
> index ec62df3..d25cbac 100644
> --- a/arch/x86/kvm/ioapic.c
> +++ b/arch/x86/kvm/ioapic.c
> @@ -94,7 +94,7 @@ static unsigned long ioapic_read_indirect(struct kvm_ioapic *ioapic,
> static void rtc_irq_eoi_tracking_reset(struct kvm_ioapic *ioapic)
> {
> 	ioapic->rtc_status.pending_eoi = 0;
> -	bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPUS);
> +	bitmap_zero(ioapic->rtc_status.dest_map.map, KVM_MAX_VCPU_ID);
> }
> 
> static void kvm_rtc_eoi_tracking_restore_all(struct kvm_ioapic *ioapic);
> diff --git a/arch/x86/kvm/ioapic.h b/arch/x86/kvm/ioapic.h
> index 7d2692a..1cc6e54 100644
> --- a/arch/x86/kvm/ioapic.h
> +++ b/arch/x86/kvm/ioapic.h
> @@ -42,13 +42,13 @@ struct kvm_vcpu;
> 
> struct dest_map {
> 	/* vcpu bitmap where IRQ has been sent */
> -	DECLARE_BITMAP(map, KVM_MAX_VCPUS);
> +	DECLARE_BITMAP(map, KVM_MAX_VCPU_ID);
> 
> 	/*
> 	 * Vector sent to a given vcpu, only valid when
> 	 * the vcpu's bit in map is set
> 	 */
> -	u8 vectors[KVM_MAX_VCPUS];
> +	u8 vectors[KVM_MAX_VCPU_ID];
> };
> 
> 
> -- 
> 2.7.4
> 


--
BR, Jackie Liu