Re: [PATCH v1] KVM: x86: PMU Whitelist

From: Andi Kleen
Date: Thu Jun 20 2019 - 14:27:30 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.9 059/117] mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node"
Previous message: Greg Kroah-Hartman: "[PATCH 4.9 067/117] ASoC: cs42xx8: Add regcache mask dirty"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eric Hankland <ehankland@xxxxxxxxxx> writes:
>
> +int kvm_vcpu_ioctl_set_pmu_whitelist(struct kvm_vcpu *vcpu,
> + struct kvm_pmu_whitelist __user *whtlst)
> +{
> + struct kvm_pmu *pmu = vcpu_to_pmu(vcpu);
> + struct kvm_pmu_whitelist *old = pmu->whitelist;
> + struct kvm_pmu_whitelist *new = NULL;
> + struct kvm_pmu_whitelist tmp;
> + int r;
> + size_t size;
> +
> + r = -EFAULT;
> + if (copy_from_user(&tmp, whtlst, sizeof(struct kvm_pmu_whitelist)))
> + goto err;
> +
> + size = sizeof(tmp) + sizeof(tmp.events[0]) * tmp.num_events;
> + new = kvzalloc(size, GFP_KERNEL_ACCOUNT);

Consider what happens when tmp.num_events is large enough to wrap size.
I suspect that's a kernel exploit as written.

Also don't you need to copy tmp to new?

-Andi

Next message: Greg Kroah-Hartman: "[PATCH 4.9 059/117] mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node"
Previous message: Greg Kroah-Hartman: "[PATCH 4.9 067/117] ASoC: cs42xx8: Add regcache mask dirty"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]