From patchwork Tue May 7 12:55:13 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andre Przywara X-Patchwork-Id: 16734 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-ve0-f199.google.com (mail-ve0-f199.google.com [209.85.128.199]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 87097238FD for ; Tue, 7 May 2013 12:56:15 +0000 (UTC) Received: by mail-ve0-f199.google.com with SMTP id m1sf774242ves.2 for ; Tue, 07 May 2013 05:55:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:x-beenthere:x-received:received-spf :x-received:x-forwarded-to:x-forwarded-for:delivered-to:x-received :received-spf:x-received:from:to:cc:subject:date:message-id:x-mailer :x-gm-message-state:x-original-sender :x-original-authentication-results:precedence:mailing-list:list-id :x-google-group-id:list-post:list-help:list-archive:list-unsubscribe; bh=HBiXh48gdUq4nAORBD4UGIWUmey+fU+BLPr54FfPs50=; b=aV2uXFHY3bgG9ab3OS43xbgp69g68bkBCad2KCKoX5yAgOvBQzkV9nwaKFQIQLS7CE frT7AWbHAbxknmAJ8Ik6NsbUW/H1ZVuhpYy/Tqa2qX+nYKR1aWkPO9wCnldpX7aBZs4w WZwWZ8ei/QOBi7DRXvXHp/F5K9JXZEwGk7UQuXu9dzKUoM2ekcdYtJuJINGHzUuSrg97 KXsl/5SKUSAApGJSvAm+0bqizx7tMoQR38DsET+n74LMt5PxA4fk6Qp3ynRjr+zf6Emi eUAiRjefhWFkDIL1cJFYTY6gwnmoLLVEJO1QEnyALdhM7i91AeIgNnbFtk9KJdjejjYj iJHQ== X-Received: by 10.58.190.106 with SMTP id gp10mr1615105vec.2.1367931356518; Tue, 07 May 2013 05:55:56 -0700 (PDT) MIME-Version: 1.0 X-BeenThere: patchwork-forward@linaro.org Received: by 10.49.15.66 with SMTP id v2ls275413qec.98.gmail; Tue, 07 May 2013 05:55:56 -0700 (PDT) X-Received: by 10.58.96.72 with SMTP id dq8mr1040961veb.49.1367931356165; Tue, 07 May 2013 05:55:56 -0700 (PDT) Received: from mail-vc0-f174.google.com (mail-vc0-f174.google.com [209.85.220.174]) by mx.google.com with ESMTPS id by3si8681812vdc.69.2013.05.07.05.55.56 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 07 May 2013 05:55:56 -0700 (PDT) Received-SPF: neutral (google.com: 209.85.220.174 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) client-ip=209.85.220.174; Received: by mail-vc0-f174.google.com with SMTP id hf12so428662vcb.19 for ; Tue, 07 May 2013 05:55:56 -0700 (PDT) X-Received: by 10.52.66.101 with SMTP id e5mr917740vdt.57.1367931355956; Tue, 07 May 2013 05:55:55 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patches@linaro.org Received: by 10.58.127.98 with SMTP id nf2csp99496veb; Tue, 7 May 2013 05:55:55 -0700 (PDT) X-Received: by 10.224.128.9 with SMTP id i9mr1566600qas.81.1367931355315; Tue, 07 May 2013 05:55:55 -0700 (PDT) Received: from mail-qc0-x22f.google.com (mail-qc0-x22f.google.com [2607:f8b0:400d:c01::22f]) by mx.google.com with ESMTPS id 7si17727963qeg.1.2013.05.07.05.55.55 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 07 May 2013 05:55:55 -0700 (PDT) Received-SPF: neutral (google.com: 2607:f8b0:400d:c01::22f is neither permitted nor denied by best guess record for domain of andre.przywara@linaro.org) client-ip=2607:f8b0:400d:c01::22f; Received: by mail-qc0-f175.google.com with SMTP id a1so248963qcx.6 for ; Tue, 07 May 2013 05:55:55 -0700 (PDT) X-Received: by 10.49.6.38 with SMTP id x6mr1455507qex.63.1367931355067; Tue, 07 May 2013 05:55:55 -0700 (PDT) Received: from slackpad.drs.calxeda.com (f053084149.adsl.alicedsl.de. [78.53.84.149]) by mx.google.com with ESMTPSA id j3sm39827455qav.1.2013.05.07.05.55.52 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 07 May 2013 05:55:54 -0700 (PDT) From: Andre Przywara To: cdall@cs.columbia.edu, marc.zyngier@arm.com Cc: peter.maydell@linaro.org, kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org, patches@linaro.org, Andre Przywara Subject: [PATCH] ARM: KVM: prevent NULL pointer dereference with KVM ioctl Date: Tue, 7 May 2013 14:55:13 +0200 Message-Id: <1367931313-14839-1-git-send-email-andre.przywara@linaro.org> X-Mailer: git-send-email 1.7.12.1 X-Gm-Message-State: ALoCoQmzGHfsPfxVB8u7QMnVdP8A8HnAf5qGbvRHIoNEs7qxRCiibQad7PHXO3LUUwnNGsrzOydx X-Original-Sender: andre.przywara@linaro.org X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.220.174 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Precedence: list Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org List-ID: X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , Some ARM KVM VCPU ioctls require the vCPU to be properly initialized with the KVM_ARM_VCPU_INIT ioctl before being used with further requests. KVM_RUN checks whether this initialization has been done, but other ioctls do not. Namely KVM_GET_REG_LIST will dereference an array with index -1 without initialization and thus leads to a kernel oops. Fix this by adding checks before executing the ioctl handlers. Signed-off-by: Andre Przywara --- arch/arm/kvm/arm.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c index c1fe498..0c571ff 100644 --- a/arch/arm/kvm/arm.c +++ b/arch/arm/kvm/arm.c @@ -893,6 +893,11 @@ long kvm_arch_vcpu_ioctl(struct file *filp, case KVM_SET_ONE_REG: case KVM_GET_ONE_REG: { struct kvm_one_reg reg; + + /* Make sure they initialize the vcpu with KVM_ARM_VCPU_INIT */ + if (unlikely(vcpu->arch.target < 0)) + return -ENOEXEC; + if (copy_from_user(®, argp, sizeof(reg))) return -EFAULT; if (ioctl == KVM_SET_ONE_REG) @@ -905,6 +910,10 @@ long kvm_arch_vcpu_ioctl(struct file *filp, struct kvm_reg_list reg_list; unsigned n; + /* Make sure they initialize the vcpu with KVM_ARM_VCPU_INIT */ + if (unlikely(vcpu->arch.target < 0)) + return -ENOEXEC; + if (copy_from_user(®_list, user_list, sizeof(reg_list))) return -EFAULT; n = reg_list.n;