Revision 81cdb259fb6d8c1c4ecfeea389ff5a73c07f5755 authored by Radim Krčmář on 23 November 2016, 20:15:27 UTC, committed by Radim Krčmář on 24 November 2016, 17:37:19 UTC
KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be
bigger that the maximal number of VCPUs, resulting in out-of-bounds
access.
Found by syzkaller:
BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr [...]
Write of size 1 by task a.out/27101
CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[...]
Call Trace:
[...] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905
[...] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495
[...] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86
[...] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360
[...] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222
[...] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235
[...] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670
[...] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668
[...] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999
[...] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3099
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Fixes: af1bae5497b9 ("KVM: x86: bump KVM_MAX_VCPU_ID to 1023")
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
1 parent 2117d53
| File | Mode | Size |
|---|---|---|
| oss | ||
| seq | ||
| Kconfig | -rw-r--r-- | 5.9 KB |
| Makefile | -rw-r--r-- | 1.3 KB |
| compress_offload.c | -rw-r--r-- | 29.8 KB |
| control.c | -rw-r--r-- | 50.3 KB |
| control_compat.c | -rw-r--r-- | 13.1 KB |
| ctljack.c | -rw-r--r-- | 2.2 KB |
| device.c | -rw-r--r-- | 6.3 KB |
| hrtimer.c | -rw-r--r-- | 4.2 KB |
| hwdep.c | -rw-r--r-- | 13.2 KB |
| hwdep_compat.c | -rw-r--r-- | 2.3 KB |
| info.c | -rw-r--r-- | 19.6 KB |
| info_oss.c | -rw-r--r-- | 3.5 KB |
| init.c | -rw-r--r-- | 25.9 KB |
| isadma.c | -rw-r--r-- | 3.0 KB |
| jack.c | -rw-r--r-- | 9.9 KB |
| memalloc.c | -rw-r--r-- | 7.5 KB |
| memory.c | -rw-r--r-- | 2.5 KB |
| misc.c | -rw-r--r-- | 3.9 KB |
| pcm.c | -rw-r--r-- | 34.4 KB |
| pcm_compat.c | -rw-r--r-- | 21.7 KB |
| pcm_dmaengine.c | -rw-r--r-- | 11.6 KB |
| pcm_drm_eld.c | -rw-r--r-- | 2.4 KB |
| pcm_iec958.c | -rw-r--r-- | 3.2 KB |
| pcm_lib.c | -rw-r--r-- | 71.2 KB |
| pcm_memory.c | -rw-r--r-- | 13.5 KB |
| pcm_misc.c | -rw-r--r-- | 15.6 KB |
| pcm_native.c | -rw-r--r-- | 101.0 KB |
| pcm_timer.c | -rw-r--r-- | 3.7 KB |
| pcm_trace.h | -rw-r--r-- | 3.7 KB |
| rawmidi.c | -rw-r--r-- | 49.3 KB |
| rawmidi_compat.c | -rw-r--r-- | 4.8 KB |
| sgbuf.c | -rw-r--r-- | 4.2 KB |
| sound.c | -rw-r--r-- | 10.5 KB |
| sound_oss.c | -rw-r--r-- | 7.1 KB |
| timer.c | -rw-r--r-- | 53.4 KB |
| timer_compat.c | -rw-r--r-- | 4.9 KB |
| vmaster.c | -rw-r--r-- | 12.7 KB |
Computing file changes ...
