Commit 98938aa8 authored by Tomas Bortoli's avatar Tomas Bortoli Committed by Radim Krčmář

KVM: validate userspace input in kvm_clear_dirty_log_protect()

The function at issue does not fully validate the content of the
structure pointed by the log parameter, though its content has just been
copied from userspace and lacks validation. Fix that.

Moreover, change the type of n to unsigned long as that is the type
returned by kvm_dirty_bitmap_bytes().
Signed-off-by: default avatarTomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+028366e52c9ace67deb3@syzkaller.appspotmail.com
[Squashed the fix from Paolo. - Radim.]
Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
parent d14eff1b
...@@ -1227,9 +1227,9 @@ int kvm_clear_dirty_log_protect(struct kvm *kvm, ...@@ -1227,9 +1227,9 @@ int kvm_clear_dirty_log_protect(struct kvm *kvm,
{ {
struct kvm_memslots *slots; struct kvm_memslots *slots;
struct kvm_memory_slot *memslot; struct kvm_memory_slot *memslot;
int as_id, id, n; int as_id, id;
gfn_t offset; gfn_t offset;
unsigned long i; unsigned long i, n;
unsigned long *dirty_bitmap; unsigned long *dirty_bitmap;
unsigned long *dirty_bitmap_buffer; unsigned long *dirty_bitmap_buffer;
...@@ -1249,6 +1249,11 @@ int kvm_clear_dirty_log_protect(struct kvm *kvm, ...@@ -1249,6 +1249,11 @@ int kvm_clear_dirty_log_protect(struct kvm *kvm,
return -ENOENT; return -ENOENT;
n = kvm_dirty_bitmap_bytes(memslot); n = kvm_dirty_bitmap_bytes(memslot);
if (log->first_page > memslot->npages ||
log->num_pages > memslot->npages - log->first_page)
return -EINVAL;
*flush = false; *flush = false;
dirty_bitmap_buffer = kvm_second_dirty_bitmap(memslot); dirty_bitmap_buffer = kvm_second_dirty_bitmap(memslot);
if (copy_from_user(dirty_bitmap_buffer, log->dirty_bitmap, n)) if (copy_from_user(dirty_bitmap_buffer, log->dirty_bitmap, n))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment