Revision - 81cdb25 - KVM: x86: fix out-of-bounds accesses of rtc_eoi map

Revision 81cdb259fb6d8c1c4ecfeea389ff5a73c07f5755 authored by Radim Krčmář on 23 November 2016, 20:15:27 UTC, committed by Radim Krčmář on 24 November 2016, 17:37:19 UTC

KVM: x86: fix out-of-bounds accesses of rtc_eoi map

KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be
bigger that the maximal number of VCPUs, resulting in out-of-bounds
access.

Found by syzkaller:

  BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr [...]
  Write of size 1 by task a.out/27101
  CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
   [...]
  Call Trace:
   [...] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905
   [...] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495
   [...] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86
   [...] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360
   [...] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222
   [...] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235
   [...] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670
   [...] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668
   [...] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999
   [...] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3099

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Fixes: af1bae5497b9 ("KVM: x86: bump KVM_MAX_VCPU_ID to 1023")
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>

1 parent 2117d53

Files
Changes

Permalinks

File	Mode	Size
ac97
ali5451
asihpi
au88x0
aw2
ca0106
cs46xx
cs5535audio
ctxfi
echoaudio
emu10k1
hda
ice1712
korg1212
lola
lx6464es
mixart
nm256
oxygen
pcxhr
riptide
rme9652
trident
vx222
ymfpci
Kconfig	-rw-r--r--	25.1 KB
Makefile	-rw-r--r--	2.1 KB
ad1889.c	-rw-r--r--	25.9 KB
ad1889.h	-rw-r--r--	7.9 KB
ak4531_codec.c	-rw-r--r--	17.0 KB
als300.c	-rw-r--r--	21.8 KB
als4000.c	-rw-r--r--	30.9 KB
atiixp.c	-rw-r--r--	45.1 KB
atiixp_modem.c	-rw-r--r--	35.2 KB
azt3328.c	-rw-r--r--	82.3 KB
azt3328.h	-rw-r--r--	15.5 KB
bt87x.c	-rw-r--r--	29.6 KB
cmipci.c	-rw-r--r--	101.3 KB
cs4281.c	-rw-r--r--	63.9 KB
cs5530.c	-rw-r--r--	7.0 KB
ens1370.c	-rw-r--r--	78.4 KB
ens1371.c	-rw-r--r--	38 bytes
es1938.c	-rw-r--r--	54.6 KB
es1968.c	-rw-r--r--	78.7 KB
fm801.c	-rw-r--r--	41.4 KB
intel8x0.c	-rw-r--r--	91.8 KB
intel8x0m.c	-rw-r--r--	37.1 KB
maestro3.c	-rw-r--r--	81.7 KB
rme32.c	-rw-r--r--	57.1 KB
rme96.c	-rw-r--r--	70.7 KB
sis7019.c	-rw-r--r--	39.6 KB
sis7019.h	-rw-r--r--	13.3 KB
sonicvibes.c	-rw-r--r--	50.9 KB
via82xx.c	-rw-r--r--	77.0 KB
via82xx_modem.c	-rw-r--r--	34.0 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...