From patchwork Wed Oct 26 21:52:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Christian A. Ehrhardt" X-Patchwork-Id: 11446 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp506802wru; Wed, 26 Oct 2022 15:11:29 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5rGQQI//lLkNmdRWjl8dfEIxQHWI9HeAiCx+PiQaf84DcIokG3E59ADAmpUigw3H/b4B91 X-Received: by 2002:a63:5c56:0:b0:464:85bb:8fd9 with SMTP id n22-20020a635c56000000b0046485bb8fd9mr38080888pgm.188.1666822289144; Wed, 26 Oct 2022 15:11:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666822289; cv=none; d=google.com; s=arc-20160816; b=IFUk3pDwzkuMCzHahFfecBimmK4cdzj8rgyuOkdllF1V4vB/WKJK70o8AwiscjSqkX JJdrzsjprLCfihY2YcUB5NQGYQ38nWlKYu1ByRk2x520ykWxQ9c0fO/laCpsWR27PzU8 6PRVUZs/HwehL1NlviLErskbZEH1BfkUc465hXYVN9BP6FkxeKezObS9Jq+B2ZorV4tV 0HPhzGpXeG/ewhQeHe1jhjKSHWtucNWBnH6EF2WReoD2Uvgkt/v0yhXLuFivdadiR72p eAXUcQVTZgWqAl1lFIFKD3WwuvFshGBxanMXdPwzZ+suNeBV6ha9LYFrPCzmEKOs6IPh 5EiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=mlRWaCfxkD2oJZYNj4ZTu0DUhvnvTeVoGsGDFZl/96A=; b=jkxOgEdoiY/olokJ1G8aE+zCwzWZBTx1E8qnsKWICT0enIKU1LoRVYsL8ZBm+cF5rm pscf2NBNoURoDW2PoiLINTIFEwr3k8N+Gk0whe4+0rVrETDB2vU4ute4bMPV991OTJZn CwFKjC3cOWTlmlO9JQowXlbXssKnGMIjGQDlcI3o9vyoxorp57oket2hyrkx7Vw4dY5s MaTZbdLAMsO9Q39O8wIcHYROSZAhgQwzqTc16dIsbSR8rejDYdTCwbheYL8C4zY36Twr N1hGI5NbuFxOKoI35CgN+P9jsmpvtJ8jjBHLIm/HdV6TUCo+jv1SDAbWJvVpHJDpyeJS mPoQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q26-20020a63f95a000000b0046edc0a9123si8201968pgk.634.2022.10.26.15.11.05; Wed, 26 Oct 2022 15:11:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229565AbiJZV7R (ORCPT + 99 others); Wed, 26 Oct 2022 17:59:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55300 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229592AbiJZV7P (ORCPT ); Wed, 26 Oct 2022 17:59:15 -0400 X-Greylist: delayed 345 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Wed, 26 Oct 2022 14:59:13 PDT Received: from cae.in-ulm.de (cae.in-ulm.de [217.10.14.231]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 54C6A7CABD; Wed, 26 Oct 2022 14:59:13 -0700 (PDT) Received: by cae.in-ulm.de (Postfix, from userid 1000) id 8C92A140306; Wed, 26 Oct 2022 23:53:26 +0200 (CEST) From: "Christian A. Ehrhardt" To: Sean Christopherson Cc: "Christian A. Ehrhardt" , Paolo Bonzini , Kees Cook , kvm@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] x86/kvm: Fix state restore in em_rsm Date: Wed, 26 Oct 2022 23:52:54 +0200 Message-Id: <20221026215255.1063662-1-lk@c--e.de> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747789848779158512?= X-GMAIL-MSGID: =?utf-8?q?1747789848779158512?= Syzkaller reports a stack-out-of-bounds access when emulating RSM (return from system management mode). Assume that a 64-bit capable host (i.e. CONFIG_X86_64 is true) emulates a guest cpu that does not support 64-bit mode. In this case RSM must use the 32-bit version of the SMM state map which only contains space for 8 general purpose registers. However, NR_EMULATOR_GPRS is defined to 16 due to CONFIG_X86_64. As a result rsm_load_state_32 will try to restore 16 registers from the state save area which only contains 8 registers. Manual offset calculation easily shows that memory beyond the end of the smstate buffer is accessed in this case. Revert the relevant parts of b443183a25ab and use explicit constants for the number of general purpose registers, again. This also ensures that the code in rsm_load_state_{32,64} matches what is done in enter_smm_save_state_{32,64}. Fixes: b443183a25ab ("KVM: x86: Reduce the number of emulator GPRs to '8' for 32-bit KVM") Signed-off-by: Christian A. Ehrhardt --- arch/x86/kvm/emulate.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index 3b27622d4642..05355ebaf4f3 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -2432,7 +2432,7 @@ static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt, ctxt->eflags = GET_SMSTATE(u32, smstate, 0x7ff4) | X86_EFLAGS_FIXED; ctxt->_eip = GET_SMSTATE(u32, smstate, 0x7ff0); - for (i = 0; i < NR_EMULATOR_GPRS; i++) + for (i = 0; i < 8; i++) *reg_write(ctxt, i) = GET_SMSTATE(u32, smstate, 0x7fd0 + i * 4); val = GET_SMSTATE(u32, smstate, 0x7fcc); @@ -2489,7 +2489,7 @@ static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt, u16 selector; int i, r; - for (i = 0; i < NR_EMULATOR_GPRS; i++) + for (i = 0; i < 16; i++) *reg_write(ctxt, i) = GET_SMSTATE(u64, smstate, 0x7ff8 - i * 8); ctxt->_eip = GET_SMSTATE(u64, smstate, 0x7f78);