Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-11 06:31:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
81cdb259fb
linux/arch/x86
History
Radim Krčmář 81cdb259fb KVM: x86: fix out-of-bounds accesses of rtc_eoi map 
KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be
bigger that the maximal number of VCPUs, resulting in out-of-bounds
access.

Found by syzkaller:

  BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr [...]
  Write of size 1 by task a.out/27101
  CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
   [...]
  Call Trace:
   [...] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905
   [...] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495
   [...] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86
   [...] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360
   [...] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222
   [...] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235
   [...] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670
   [...] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668
   [...] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999
   [...] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3099

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Fixes: af1bae5497 ("KVM: x86: bump KVM_MAX_VCPU_ID to 1023")
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
2016-11-24 18:37:19 +01:00
..
boot * Refactor the EFI memory map code into architecture neutral files 2016-09-13 20:21:55 +02:00
configs IOMMU Updates for Linux v4.9 2016-10-11 12:52:41 -07:00
crypto crypto: aesni: shut up -Wmaybe-uninitialized warning 2016-11-11 08:45:08 -08:00
entry x86/build: Fix build with older GCC versions 2016-10-25 11:44:25 +02:00
events perf/x86/intel/uncore: Add more Intel uncore IMC PCI IDs for SkyLake 2016-11-11 08:30:22 +01:00
ia32 x86/signal: Add SA_{X32,IA32}_ABI sa_flags 2016-09-14 21:28:11 +02:00
include x86/platform/intel-mid: Retrofit pci_platform_pm_ops ->get_state hook 2016-11-07 13:06:59 +01:00
kernel Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-11-14 08:39:56 -08:00
kvm KVM: x86: fix out-of-bounds accesses of rtc_eoi map 2016-11-24 18:37:19 +01:00
lguest lguest: Read offset of device_cap later 2016-06-10 11:39:09 +02:00
lib Merge branch 'kbuild' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild 2016-10-14 14:26:58 -07:00
math-emu
mm patches to fix a regression in 4.9-rc1 on x86 PAT 2016-10-28 09:36:07 -07:00
net bpf, x86: add support for constant blinding 2016-05-16 13:49:32 -04:00
oprofile oprofile/x86: Convert x86_backtrace() to use the new unwinder 2016-09-20 08:29:34 +02:00
pci PCI changes for the v4.9 merge window: 2016-10-07 11:46:37 -07:00
platform Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2016-11-14 08:39:56 -08:00
power x86/asm: Get rid of __read_cr4_safe() 2016-09-30 12:40:12 +02:00
purgatory x86/kexec: add -fno-PIE 2016-11-09 22:28:09 +01:00
ras x86/RAS/mce_amd_inj: Remove debugfs dir recursively on exit 2016-09-26 11:13:17 +02:00
realmode x86/boot: Rework reserve_real_mode() to allow multiple tries 2016-08-11 11:15:01 +02:00
tools x86/insn: Add AVX-512 support to the instruction decoder 2016-07-21 09:37:11 -03:00
um Merge branch 'gup_flag-cleanups' 2016-10-19 08:39:47 -07:00
video
xen xen: fixes for 4.9-rc2 2016-10-24 19:52:24 -07:00
.gitignore
Kbuild
Kconfig atomic64: no need for CONFIG_ARCH_HAS_ATOMIC64_DEC_IF_POSITIVE 2016-10-07 18:46:30 -07:00
Kconfig.cpu
Kconfig.debug
Makefile lib/raid6: Add AVX512 optimized gen_syndrome functions 2016-09-21 09:09:44 -07:00
Makefile_32.cpu
Makefile.um