KVM: VMX: Do not BUG() on out-of-bounds guest IRQ (3a8b0677) · Commits · 戴 / test

The value of the guest_irq argument to vmx_update_pi_irte() is ultimately coming from a KVM_IRQFD API call. Do not BUG() in vmx_update_pi_irte() if the value is out-of bounds. (Especially, since KVM as a whole seems to hang after that.) Instead, print a message only once if we find that we don't have a route for a certain IRQ (which can be out-of-bounds or within the array). This fixes CVE-2017-1000252. Fixes: ("KVM: x86: Update IRTE for posted-interrupts") Signed-off-by:

Jan H. Schönherr <jschoenh@amazon.de> Signed-off-by:

Paolo Bonzini <pbonzini@redhat.com>

arch/x86/kvm/vmx.c

+7 −2

Original line number	Diff line number	Diff line
		@@ -11834,7 +11834,7 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,
		struct kvm_lapic_irq irq;
		struct kvm_vcpu *vcpu;
		struct vcpu_data vcpu_info;
		int idx, ret = -EINVAL;
		int idx, ret = 0;

		if (!kvm_arch_has_assigned_device(kvm) \|\|
		!irq_remapping_cap(IRQ_POSTING_CAP) \|\|
		@@ -11843,7 +11843,12 @@ static int vmx_update_pi_irte(struct kvm *kvm, unsigned int host_irq,

		idx = srcu_read_lock(&kvm->irq_srcu);
		irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
		BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
		if (guest_irq >= irq_rt->nr_rt_entries \|\|
		hlist_empty(&irq_rt->map[guest_irq])) {
		pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n",
		guest_irq, irq_rt->nr_rt_entries);
		goto out;
		}

		hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
		if (e->type != KVM_IRQ_ROUTING_MSI)

Admin message