Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
KVM: Fix KVM_GET_MSR_INDEX_LIST
So far, KVM copied the emulated_msrs (only MSR_IA32_MISC_ENABLE) to a
wrong address in user space due to broken pointer arithmetic. This
caused subtle corruption up there (missing MSR_IA32_MISC_ENABLE had
probably no practical relevance). Moreover, the size check for the
user-provided kvm_msr_list forgot about emulated MSRs.
Cc: stable@kernel.org
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
authored by Jan Kiszka and committed by Avi Kivity e125e7b6 90bc1a65
+2
-3
arch/x86/kvm/x86.c
+2
-3
arch/x86/kvm/x86.c
···
1079
if (copy_to_user(user_msr_list, &msr_list, sizeof msr_list))
1080
goto out;
1081
r = -E2BIG;
1082
-
if (n < num_msrs_to_save)
1083
goto out;
1084
r = -EFAULT;
1085
if (copy_to_user(user_msr_list->indices, &msrs_to_save,
1086
num_msrs_to_save * sizeof(u32)))
1087
goto out;
1088
-
if (copy_to_user(user_msr_list->indices
1089
-
+ num_msrs_to_save * sizeof(u32),
1090
&emulated_msrs,
1091
ARRAY_SIZE(emulated_msrs) * sizeof(u32)))
1092
goto out;
···
1079
if (copy_to_user(user_msr_list, &msr_list, sizeof msr_list))
1080
goto out;
1081
r = -E2BIG;
1082
+
if (n < msr_list.nmsrs)
1083
goto out;
1084
r = -EFAULT;
1085
if (copy_to_user(user_msr_list->indices, &msrs_to_save,
1086
num_msrs_to_save * sizeof(u32)))
1087
goto out;
1088
+
if (copy_to_user(user_msr_list->indices + num_msrs_to_save,
1089
&emulated_msrs,
1090
ARRAY_SIZE(emulated_msrs) * sizeof(u32)))
1091
goto out;