Commit a13b03bb authored Aug 29, 2019 by Thomas Huth Committed by Christian Borntraeger Aug 29, 2019

KVM: s390: Test for bad access register and size at the start of S390_MEM_OP



If the KVM_S390_MEM_OP ioctl is called with an access register >= 16,
then there is certainly a bug in the calling userspace application.
We check for wrong access registers, but only if the vCPU was already
in the access register mode before (i.e. the SIE block has recorded
it). The check is also buried somewhere deep in the calling chain (in
the function ar_translation()), so this is somewhat hard to find.

It's better to always report an error to the userspace in case this
field is set wrong, and it's safer in the KVM code if we block wrong
values here early instead of relying on a check somewhere deep down
the calling chain, so let's add another check to kvm_s390_guest_mem_op()
directly.

We also should check that the "size" is non-zero here (thanks to Janosch
Frank for the hint!). If we do not check the size, we could call vmalloc()
with this 0 value, and this will cause a kernel warning.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Link: https://lkml.kernel.org/r/20190829122517.31042-1-thuth@redhat.com


Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Reviewed-by: Janosch Frank <frankja@linux.ibm.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>

parent a049a377

arch/s390/kvm/kvm-s390.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -4265,7 +4265,7 @@ static long kvm_s390_guest_mem_op(struct kvm_vcpu *vcpu,
		const u64 supported_flags = KVM_S390_MEMOP_F_INJECT_EXCEPTION
		\| KVM_S390_MEMOP_F_CHECK_ONLY;

		if (mop->flags & ~supported_flags)
		if (mop->flags & ~supported_flags \|\| mop->ar >= NUM_ACRS \|\| !mop->size)
		return -EINVAL;

		if (mop->size > MEM_OP_MAX_SIZE)

Admin message