1. 21 4月, 2020 14 次提交
  2. 16 4月, 2020 24 次提交
  3. 14 4月, 2020 2 次提交
    • S
      KVM: s390: Return last valid slot if approx index is out-of-bounds · 97daa028
      Sean Christopherson 提交于
      Return the index of the last valid slot from gfn_to_memslot_approx() if
      its binary search loop yielded an out-of-bounds index.  The index can
      be out-of-bounds if the specified gfn is less than the base of the
      lowest memslot (which is also the last valid memslot).
      
      Note, the sole caller, kvm_s390_get_cmma(), ensures used_slots is
      non-zero.
      
      Fixes: afdad616 ("KVM: s390: Fix storage attributes migration with memory slots")
      Cc: stable@vger.kernel.org # 4.19.x: 0774a964: KVM: Fix out of range accesses to memslots
      Cc: stable@vger.kernel.org # 4.19.x
      Signed-off-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Message-Id: <20200408064059.8957-3-sean.j.christopherson@intel.com>
      Reviewed-by: NCornelia Huck <cohuck@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      97daa028
    • S
      KVM: Check validity of resolved slot when searching memslots · b6467ab1
      Sean Christopherson 提交于
      Check that the resolved slot (somewhat confusingly named 'start') is a
      valid/allocated slot before doing the final comparison to see if the
      specified gfn resides in the associated slot.  The resolved slot can be
      invalid if the binary search loop terminated because the search index
      was incremented beyond the number of used slots.
      
      This bug has existed since the binary search algorithm was introduced,
      but went unnoticed because KVM statically allocated memory for the max
      number of slots, i.e. the access would only be truly out-of-bounds if
      all possible slots were allocated and the specified gfn was less than
      the base of the lowest memslot.  Commit 36947254 ("KVM: Dynamically
      size memslot array based on number of used slots") eliminated the "all
      possible slots allocated" condition and made the bug embarrasingly easy
      to hit.
      
      Fixes: 9c1a5d38 ("kvm: optimize GFN to memslot lookup with large slots amount")
      Reported-by: syzbot+d889b59b2bb87d4047a2@syzkaller.appspotmail.com
      Cc: stable@vger.kernel.org
      Signed-off-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Message-Id: <20200408064059.8957-2-sean.j.christopherson@intel.com>
      Reviewed-by: NCornelia Huck <cohuck@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      b6467ab1