| From 433f4ba1904100da65a311033f17a9bf586b287e Mon Sep 17 00:00:00 2001 |
| From: Paolo Bonzini <pbonzini@redhat.com> |
| Date: Wed, 4 Dec 2019 10:28:54 +0100 |
| Subject: KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) |
| |
| From: Paolo Bonzini <pbonzini@redhat.com> |
| |
| commit 433f4ba1904100da65a311033f17a9bf586b287e upstream. |
| |
| The bounds check was present in KVM_GET_SUPPORTED_CPUID but not |
| KVM_GET_EMULATED_CPUID. |
| |
| Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com |
| Fixes: 84cffe499b94 ("kvm: Emulate MOVBE", 2013-10-29) |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| Cc: Ben Hutchings <ben@decadent.org.uk> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| arch/x86/kvm/cpuid.c | 5 ++++- |
| 1 file changed, 4 insertions(+), 1 deletion(-) |
| |
| --- a/arch/x86/kvm/cpuid.c |
| +++ b/arch/x86/kvm/cpuid.c |
| @@ -332,7 +332,7 @@ static inline int __do_cpuid_ent(struct |
| |
| r = -E2BIG; |
| |
| - if (*nent >= maxnent) |
| + if (WARN_ON(*nent >= maxnent)) |
| goto out; |
| |
| do_cpuid_1_ent(entry, function, index); |
| @@ -575,6 +575,9 @@ out: |
| static int do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 func, |
| u32 idx, int *nent, int maxnent, unsigned int type) |
| { |
| + if (*nent >= maxnent) |
| + return -E2BIG; |
| + |
| if (type == KVM_GET_EMULATED_CPUID) |
| return __do_cpuid_ent_emulated(entry, func, idx, nent, maxnent); |
| |