tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

KVM: SEV-ES: fix another issue with string I/O VMGEXITs

If the guest requests string I/O from the hypervisor via VMGEXIT,
SW_EXITINFO2 will contain the REP count. However, sev_es_string_io
was incorrectly treating it as the size of the GHCB buffer in
bytes.

This fixes the "outsw" test in the experimental SEV tests of
kvm-unit-tests.

Cc: stable@vger.kernel.org
Fixes: 7ed9abfe8e9f ("KVM: SVM: Support string IO operations for an SEV-ES guest")
Reported-by: Marc Orr <marcorr@google.com>
Tested-by: Marc Orr <marcorr@google.com>
Reviewed-by: Marc Orr <marcorr@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Paolo Bonzini 9b0971ca 0985dba8

options
unified split
Changed files
+12 -3
arch
x86
kvm
svm
sev.c
+12 -3
arch/x86/kvm/svm/sev.c
··· 2579 2579 2580 2580 int sev_es_string_io(struct vcpu_svm *svm, int size, unsigned int port, int in) 2581 2581 { 2582 - if (!setup_vmgexit_scratch(svm, in, svm->vmcb->control.exit_info_2)) 2582 + int count; 2583 + int bytes; 2584 + 2585 + if (svm->vmcb->control.exit_info_2 > INT_MAX) 2583 2586 return -EINVAL; 2584 2587 2585 - return kvm_sev_es_string_io(&svm->vcpu, size, port, 2586 - svm->ghcb_sa, svm->ghcb_sa_len / size, in); 2588 + count = svm->vmcb->control.exit_info_2; 2589 + if (unlikely(check_mul_overflow(count, size, &bytes))) 2590 + return -EINVAL; 2591 + 2592 + if (!setup_vmgexit_scratch(svm, in, bytes)) 2593 + return -EINVAL; 2594 + 2595 + return kvm_sev_es_string_io(&svm->vcpu, size, port, svm->ghcb_sa, count, in); 2587 2596 } 2588 2597 2589 2598 void sev_es_init_vmcb(struct vcpu_svm *svm)