• D
    KVM: x86: prevent integer overflows in KVM_MEMORY_ENCRYPT_REG_REGION · 86bf20cb
    Dan Carpenter 提交于
    This is a fix from reviewing the code, but it looks like it might be
    able to lead to an Oops.  It affects 32bit systems.
    
    The KVM_MEMORY_ENCRYPT_REG_REGION ioctl uses a u64 for range->addr and
    range->size but the high 32 bits would be truncated away on a 32 bit
    system.  This is harmless but it's also harmless to prevent it.
    
    Then in sev_pin_memory() the "uaddr + ulen" calculation can wrap around.
    The wrap around can happen on 32 bit or 64 bit systems, but I was only
    able to figure out a problem for 32 bit systems.  We would pick a number
    which results in "npages" being zero.  The sev_pin_memory() would then
    return ZERO_SIZE_PTR without allocating anything.
    
    I made it illegal to call sev_pin_memory() with "ulen" set to zero.
    Hopefully, that doesn't cause any problems.  I also changed the type of
    "first" and "last" to long, just for cosmetic reasons.  Otherwise on a
    64 bit system you're saving "uaddr >> 12" in an int and it truncates the
    high 20 bits away.  The math works in the current code so far as I can
    see but it's just weird.
    Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
    [Brijesh noted that the code is only reachable on X86_64.]
    Reviewed-by: NBrijesh Singh <brijesh.singh@amd.com>
    Signed-off-by: NRadim Krčmář <rkrcmar@redhat.com>
    86bf20cb
svm.c 181.4 KB