KVM: x86: Fix the NULL pointer parameter in check_cr_write()

Routine check_cr_write() will trigger emulator_get_cpuid()-> kvm_cpuid() to get maxphyaddr, and NULL is passed as values for ebx/ecx/edx. This is problematic because kvm_cpuid() will dereference these pointers. Fixes: d1cd3ce9 ("KVM: MMU: check guest CR3 reserved bits based on its physical address width.") Reported-by: N Jim Mattson <jmattson@google.com> Signed-off-by: N Yu Zhang <yu.c.zhang@linux.intel.com> Reviewed-by: N David Hildenbrand <david@redhat.com> Reviewed-by: N Jim Mattson <jmattson@google.com> Signed-off-by: N Radim Krčmář <rkrcmar@redhat.com>

KVM: x86: Fix the NULL pointer parameter in check_cr_write()
Routine check_cr_write() will trigger emulator_get_cpuid()-> kvm_cpuid() to get maxphyaddr, and NULL is passed as values for ebx/ecx/edx. This is problematic because kvm_cpuid() will dereference these pointers. Fixes: d1cd3ce9 ("KVM: MMU: check guest CR3 reserved bits based on its physical address width.") Reported-by: N Jim Mattson <jmattson@google.com> Signed-off-by: N Yu Zhang <yu.c.zhang@linux.intel.com> Reviewed-by: N David Hildenbrand <david@redhat.com> Reviewed-by: N Jim Mattson <jmattson@google.com> Signed-off-by: N Radim Krčmář <rkrcmar@redhat.com>
d6500149 · Yu Zhang · Radim Krčmář · 95e2a3b3 · d6500149
显示空白变更内容
内联并排

Showing with 5 addition and 3 deletion

arch/x86/kvm/emulate.c arch/x86/kvm/emulate.c +5 -3

未找到文件。
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -4102,10 +4102,12 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
 		ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
 		if (efer & EFER_LMA) {
 			u64 maxphyaddr;
-			u32 eax = 0x80000008;
+			u32 eax, ebx, ecx, edx;
-			if (ctxt->ops->get_cpuid(ctxt, &eax, NULL, NULL,
+			eax = 0x80000008;
-						 NULL, false))
+			ecx = 0;
+			if (ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx,
+						 &edx, false))
 				maxphyaddr = eax & 0xff;
 			else
 				maxphyaddr = 36;