Re: [PATCH v13 08/35] KVM: Introduce KVM_SET_USER_MEMORY_REGION2

From: Paolo Bonzini
Date: Mon Oct 30 2023 - 12:42:15 EST

Next message: Miguel Luis: "Re: [RFC PATCH v3 00/39] ACPI/arm64: add support for virtual cpuhotplug"
Previous message: Paolo Bonzini: "Re: [PATCH v13 07/35] KVM: Convert KVM_ARCH_WANT_MMU_NOTIFIER to CONFIG_KVM_GENERIC_MMU_NOTIFIER"
In reply to: Sean Christopherson: "[PATCH v13 08/35] KVM: Introduce KVM_SET_USER_MEMORY_REGION2"
Next in thread: Sean Christopherson: "Re: [PATCH v13 08/35] KVM: Introduce KVM_SET_USER_MEMORY_REGION2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/27/23 20:21, Sean Christopherson wrote:

+ if (ioctl == KVM_SET_USER_MEMORY_REGION)
+ size = sizeof(struct kvm_userspace_memory_region);

This also needs a memset(&mem, 0, sizeof(mem)), otherwise the out-of-bounds access of the commit message becomes a kernel stack read.

Probably worth adding a check on valid flags here.

Paolo

+ else
+ size = sizeof(struct kvm_userspace_memory_region2);
+
+ /* Ensure the common parts of the two structs are identical. */
+ SANITY_CHECK_MEM_REGION_FIELD(slot);
+ SANITY_CHECK_MEM_REGION_FIELD(flags);
+ SANITY_CHECK_MEM_REGION_FIELD(guest_phys_addr);
+ SANITY_CHECK_MEM_REGION_FIELD(memory_size);
+ SANITY_CHECK_MEM_REGION_FIELD(userspace_addr);

Next message: Miguel Luis: "Re: [RFC PATCH v3 00/39] ACPI/arm64: add support for virtual cpuhotplug"
Previous message: Paolo Bonzini: "Re: [PATCH v13 07/35] KVM: Convert KVM_ARCH_WANT_MMU_NOTIFIER to CONFIG_KVM_GENERIC_MMU_NOTIFIER"
In reply to: Sean Christopherson: "[PATCH v13 08/35] KVM: Introduce KVM_SET_USER_MEMORY_REGION2"
Next in thread: Sean Christopherson: "Re: [PATCH v13 08/35] KVM: Introduce KVM_SET_USER_MEMORY_REGION2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]