81cdb259fb
KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be
bigger that the maximal number of VCPUs, resulting in out-of-bounds
access.
Found by syzkaller:
BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr [...]
Write of size 1 by task a.out/27101
CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[...]
Call Trace:
[...] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905
[...] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495
[...] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86
[...] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360
[...] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222
[...] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235
[...] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670
[...] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668
[...] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999
[...] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3099
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Fixes: af1bae5497
("KVM: x86: bump KVM_MAX_VCPU_ID to 1023")
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
142 lines
3.4 KiB
C
142 lines
3.4 KiB
C
#ifndef __KVM_IO_APIC_H
|
|
#define __KVM_IO_APIC_H
|
|
|
|
#include <linux/kvm_host.h>
|
|
|
|
#include <kvm/iodev.h>
|
|
|
|
struct kvm;
|
|
struct kvm_vcpu;
|
|
|
|
#define IOAPIC_NUM_PINS KVM_IOAPIC_NUM_PINS
|
|
#define MAX_NR_RESERVED_IOAPIC_PINS KVM_MAX_IRQ_ROUTES
|
|
#define IOAPIC_VERSION_ID 0x11 /* IOAPIC version */
|
|
#define IOAPIC_EDGE_TRIG 0
|
|
#define IOAPIC_LEVEL_TRIG 1
|
|
|
|
#define IOAPIC_DEFAULT_BASE_ADDRESS 0xfec00000
|
|
#define IOAPIC_MEM_LENGTH 0x100
|
|
|
|
/* Direct registers. */
|
|
#define IOAPIC_REG_SELECT 0x00
|
|
#define IOAPIC_REG_WINDOW 0x10
|
|
|
|
/* Indirect registers. */
|
|
#define IOAPIC_REG_APIC_ID 0x00 /* x86 IOAPIC only */
|
|
#define IOAPIC_REG_VERSION 0x01
|
|
#define IOAPIC_REG_ARB_ID 0x02 /* x86 IOAPIC only */
|
|
|
|
/*ioapic delivery mode*/
|
|
#define IOAPIC_FIXED 0x0
|
|
#define IOAPIC_LOWEST_PRIORITY 0x1
|
|
#define IOAPIC_PMI 0x2
|
|
#define IOAPIC_NMI 0x4
|
|
#define IOAPIC_INIT 0x5
|
|
#define IOAPIC_EXTINT 0x7
|
|
|
|
#ifdef CONFIG_X86
|
|
#define RTC_GSI 8
|
|
#else
|
|
#define RTC_GSI -1U
|
|
#endif
|
|
|
|
struct dest_map {
|
|
/* vcpu bitmap where IRQ has been sent */
|
|
DECLARE_BITMAP(map, KVM_MAX_VCPU_ID);
|
|
|
|
/*
|
|
* Vector sent to a given vcpu, only valid when
|
|
* the vcpu's bit in map is set
|
|
*/
|
|
u8 vectors[KVM_MAX_VCPU_ID];
|
|
};
|
|
|
|
|
|
struct rtc_status {
|
|
int pending_eoi;
|
|
struct dest_map dest_map;
|
|
};
|
|
|
|
union kvm_ioapic_redirect_entry {
|
|
u64 bits;
|
|
struct {
|
|
u8 vector;
|
|
u8 delivery_mode:3;
|
|
u8 dest_mode:1;
|
|
u8 delivery_status:1;
|
|
u8 polarity:1;
|
|
u8 remote_irr:1;
|
|
u8 trig_mode:1;
|
|
u8 mask:1;
|
|
u8 reserve:7;
|
|
u8 reserved[4];
|
|
u8 dest_id;
|
|
} fields;
|
|
};
|
|
|
|
struct kvm_ioapic {
|
|
u64 base_address;
|
|
u32 ioregsel;
|
|
u32 id;
|
|
u32 irr;
|
|
u32 pad;
|
|
union kvm_ioapic_redirect_entry redirtbl[IOAPIC_NUM_PINS];
|
|
unsigned long irq_states[IOAPIC_NUM_PINS];
|
|
struct kvm_io_device dev;
|
|
struct kvm *kvm;
|
|
void (*ack_notifier)(void *opaque, int irq);
|
|
spinlock_t lock;
|
|
struct rtc_status rtc_status;
|
|
struct delayed_work eoi_inject;
|
|
u32 irq_eoi[IOAPIC_NUM_PINS];
|
|
u32 irr_delivered;
|
|
};
|
|
|
|
#ifdef DEBUG
|
|
#define ASSERT(x) \
|
|
do { \
|
|
if (!(x)) { \
|
|
printk(KERN_EMERG "assertion failed %s: %d: %s\n", \
|
|
__FILE__, __LINE__, #x); \
|
|
BUG(); \
|
|
} \
|
|
} while (0)
|
|
#else
|
|
#define ASSERT(x) do { } while (0)
|
|
#endif
|
|
|
|
static inline struct kvm_ioapic *ioapic_irqchip(struct kvm *kvm)
|
|
{
|
|
return kvm->arch.vioapic;
|
|
}
|
|
|
|
static inline int ioapic_in_kernel(struct kvm *kvm)
|
|
{
|
|
int ret;
|
|
|
|
ret = (ioapic_irqchip(kvm) != NULL);
|
|
return ret;
|
|
}
|
|
|
|
void kvm_rtc_eoi_tracking_restore_one(struct kvm_vcpu *vcpu);
|
|
bool kvm_apic_match_dest(struct kvm_vcpu *vcpu, struct kvm_lapic *source,
|
|
int short_hand, unsigned int dest, int dest_mode);
|
|
int kvm_apic_compare_prio(struct kvm_vcpu *vcpu1, struct kvm_vcpu *vcpu2);
|
|
void kvm_ioapic_update_eoi(struct kvm_vcpu *vcpu, int vector,
|
|
int trigger_mode);
|
|
int kvm_ioapic_init(struct kvm *kvm);
|
|
void kvm_ioapic_destroy(struct kvm *kvm);
|
|
int kvm_ioapic_set_irq(struct kvm_ioapic *ioapic, int irq, int irq_source_id,
|
|
int level, bool line_status);
|
|
void kvm_ioapic_clear_all(struct kvm_ioapic *ioapic, int irq_source_id);
|
|
int kvm_irq_delivery_to_apic(struct kvm *kvm, struct kvm_lapic *src,
|
|
struct kvm_lapic_irq *irq,
|
|
struct dest_map *dest_map);
|
|
int kvm_get_ioapic(struct kvm *kvm, struct kvm_ioapic_state *state);
|
|
int kvm_set_ioapic(struct kvm *kvm, struct kvm_ioapic_state *state);
|
|
void kvm_ioapic_scan_entry(struct kvm_vcpu *vcpu,
|
|
ulong *ioapic_handled_vectors);
|
|
void kvm_scan_ioapic_routes(struct kvm_vcpu *vcpu,
|
|
ulong *ioapic_handled_vectors);
|
|
#endif
|