Re: [PATCH] x86/kvm/vmx: Fix GPF on reading vmentry_l1d_flush - Linux-stable-mirror

22 Aug 2018

...
From: MINOURA Makoto / 箕浦 真 minoura@valinux.co.jp
Date: 2018年8月22日周三 上午9:50
Subject: [PATCH] x86/kvm/vmx: Fix GPF on reading vmentry_l1d_flush
To: kvm@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
When EPT is not enabled, reading
/sys/module/kvm_intel/parameters/vmentry_l1d_flush causes
general protection fault in vmentry_l1d_flush_get() due to
access beyond the end of the array vmentry_l1d_param[].
Signed-off-by: Minoura Makoto minoura@valinux.co.jp
arch/x86/include/asm/vmx.h | 1 +
 arch/x86/kvm/vmx.c         | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index 95f9107449bf..c4b834b05178 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -581,6 +581,7 @@ enum vmx_l1d_flush_state {
        VMENTER_L1D_FLUSH_NEVER,
        VMENTER_L1D_FLUSH_COND,
        VMENTER_L1D_FLUSH_ALWAYS,

  VMENTER_L1D_FLUSH_PARAM_MAX = VMENTER_L1D_FLUSH_ALWAYS,
  VMENTER_L1D_FLUSH_EPT_DISABLED,
  VMENTER_L1D_FLUSH_NOT_REQUIRED,



};
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 1519f030fd73..155ba2a9139f 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -204,6 +204,8 @@ static const struct {
        {"never",       VMENTER_L1D_FLUSH_NEVER},
        {"cond",        VMENTER_L1D_FLUSH_COND},
        {"always",      VMENTER_L1D_FLUSH_ALWAYS},

  {"ept-disabled", VMENTER_L1D_FLUSH_EPT_DISABLED},


  {"not-required", VMENTER_L1D_FLUSH_NOT_REQUIRED},



};
#define L1D_CACHE_ORDER 4
@@ -286,7 +288,7 @@ static int vmentry_l1d_flush_parse(const char *s)
        unsigned int i;
    if (s) {


          for (i = 0; i < ARRAY_SIZE(vmentry_l1d_param); i++) {




          for (i = 0; i <= VMENTER_L1D_FLUSH_PARAM_MAX; i++) {
                  if (sysfs_streq(s, vmentry_l1d_param[i].option))
                          return vmentry_l1d_param[i].cmd;
          }



Easy to reproduce. Thanks.
Tested-by: Jack Wang jinpu.wang@profitbricks.com
--
Jack Wang
Linux Kernel Developer
ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin
Tel:       +49 30 577 008  042
Fax:      +49 30 577 008 299
Email:    jinpu.wang@profitbricks.com
URL:      https://www.profitbricks.de
Sitz der Gesellschaft: Berlin
Registergericht: Amtsgericht Charlottenburg, HRB 125506 B
Geschäftsführer: Achim Weiss, Matthias Steinberg, Christoph Steffens

    