KVM: nVMX: really fix the size checks on KVM_SET_NESTED_STATE

[ Upstream commit db80927e ] The offset for reading the shadow VMCS is sizeof(*kvm_state)+VMCS12_SIZE, so the correct size must be that plus sizeof(*vmcs12). This could lead to KVM reading garbage data from userspace and not reporting an error, but is otherwise not sensitive. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>

KVM: nVMX: really fix the size checks on KVM_SET_NESTED_STATE
[ Upstream commit db80927e ] The offset for reading the shadow VMCS is sizeof(*kvm_state)+VMCS12_SIZE, so the correct size must be that plus sizeof(*vmcs12). This could lead to KVM reading garbage data from userspace and not reporting an error, but is otherwise not sensitive. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
936a2fe9 · Paolo Bonzini · Greg Kroah-Hartman · cf2a3bd4 · 936a2fe9
Commit 936a2fe9 authored May 20, 2019 by Paolo Bonzini Committed by Greg Kroah-Hartman Jun 19, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

arch/x86/kvm/vmx/nested.c arch/x86/kvm/vmx/nested.c +1 -1

No files found.
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -5467,7 +5467,7 @@ static int vmx_set_nested_state(struct kvm_vcpu *vcpu,
 	    vmcs12->vmcs_link_pointer != -1ull) {
 		struct vmcs12 *shadow_vmcs12 = get_shadow_vmcs12(vcpu);
-		if (kvm_state->size < sizeof(*kvm_state) + 2 * sizeof(*vmcs12))
+		if (kvm_state->size < sizeof(*kvm_state) + VMCS12_SIZE + sizeof(*vmcs12))
 			return -EINVAL;
 		if (copy_from_user(shadow_vmcs12,