From: Tomas Bortoli tomasbortoli@gmail.com
mainline inclusion from mainline-5.0 commit 98938aa8edd66dc95024d7c936a4bc315f6615ff category: bugfix bugzilla: NA CVE: NA
-------------------------------------------------
The function at issue does not fully validate the content of the structure pointed by the log parameter, though its content has just been copied from userspace and lacks validation. Fix that.
Moreover, change the type of n to unsigned long as that is the type returned by kvm_dirty_bitmap_bytes().
Signed-off-by: Tomas Bortoli tomasbortoli@gmail.com Reported-by: syzbot+028366e52c9ace67deb3@syzkaller.appspotmail.com [Squashed the fix from Paolo. - Radim.] Signed-off-by: Radim Krčmář rkrcmar@redhat.com Signed-off-by: Xiangyou Xie xiexiangyou@huawei.com Reviewed-by: Ying Fang fangying1@huawei.com Reviewed-by: Zenghui Yu yuzenghui@huawei.com Signed-off-by: Yang Yingliang yangyingliang@huawei.com --- virt/kvm/kvm_main.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index c3604286529d..9f4d87702c2e 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -1288,9 +1288,9 @@ int kvm_clear_dirty_log_protect(struct kvm *kvm, { struct kvm_memslots *slots; struct kvm_memory_slot *memslot; - int as_id, id, n; + int as_id, id; gfn_t offset; - unsigned long i; + unsigned long i, n; unsigned long *dirty_bitmap; unsigned long *dirty_bitmap_buffer;
@@ -1310,6 +1310,11 @@ int kvm_clear_dirty_log_protect(struct kvm *kvm, return -ENOENT;
n = kvm_dirty_bitmap_bytes(memslot); + + if (log->first_page > memslot->npages || + log->num_pages > memslot->npages - log->first_page) + return -EINVAL; + *flush = false;
dirty_bitmap_buffer = kvm_second_dirty_bitmap(memslot);