release/4.8.20/KVM-s390-do-not-expose-random-data-via-facility-bitm.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-4.8 - Git at Google

 From d2a8ea2a900664eb5e03e1dbe089de7f0fdb0e84 Mon Sep 17 00:00:00 2001
 From: Christian Borntraeger <borntraeger@de.ibm.com>
 Date: Thu, 12 Jan 2017 16:25:15 +0100
 Subject: [PATCH] KVM: s390: do not expose random data via facility bitmap

 commit 04478197416e3a302e9ebc917ba1aa884ef9bfab upstream.

 kvm_s390_get_machine() populates the facility bitmap by copying bytes
 from the host results that are stored in a 256 byte array in the prefix
 page. The KVM code does use the size of the target buffer (2k), thus
 copying and exposing unrelated kernel memory (mostly machine check
 related logout data).

 Let's use the size of the source buffer instead.  This is ok, as the
 target buffer will always be greater or equal than the source buffer as
 the KVM internal buffers (and thus S390_ARCH_FAC_LIST_SIZE_BYTE) cover
 the maximum possible size that is allowed by STFLE, which is 256
 doublewords. All structures are zero allocated so we can leave bytes
 256-2047 unchanged.

 Add a similar fix for kvm_arch_init_vm().

 Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
 [found with smatch]
 Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
 CC: stable@vger.kernel.org
 Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
 index 607ec91966c7..31fc6408b374 100644
 --- a/arch/s390/kvm/kvm-s390.c
 +++ b/arch/s390/kvm/kvm-s390.c
 @@ -906,7 +906,7 @@ static int kvm_s390_get_machine(struct kvm *kvm, struct kvm_device_attr *attr)
  	memcpy(&mach->fac_mask, kvm->arch.model.fac_mask,
  	       S390_ARCH_FAC_LIST_SIZE_BYTE);
  	memcpy((unsigned long *)&mach->fac_list, S390_lowcore.stfle_fac_list,
 -	       S390_ARCH_FAC_LIST_SIZE_BYTE);
 +	       sizeof(S390_lowcore.stfle_fac_list));
  	if (copy_to_user((void __user *)attr->addr, mach, sizeof(*mach)))
  		ret = -EFAULT;
  	kfree(mach);
 @@ -1427,7 +1427,7 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)

  	/* Populate the facility mask initially. */
  	memcpy(kvm->arch.model.fac_mask, S390_lowcore.stfle_fac_list,
 -	       S390_ARCH_FAC_LIST_SIZE_BYTE);
 +	       sizeof(S390_lowcore.stfle_fac_list));
  	for (i = 0; i < S390_ARCH_FAC_LIST_SIZE_U64; i++) {
  		if (i < kvm_s390_fac_list_mask_size())
  			kvm->arch.model.fac_mask[i] &= kvm_s390_fac_list_mask[i];
 --
 2.10.1
	From d2a8ea2a900664eb5e03e1dbe089de7f0fdb0e84 Mon Sep 17 00:00:00 2001
	From: Christian Borntraeger <borntraeger@de.ibm.com>
	Date: Thu, 12 Jan 2017 16:25:15 +0100
	Subject: [PATCH] KVM: s390: do not expose random data via facility bitmap

	commit 04478197416e3a302e9ebc917ba1aa884ef9bfab upstream.

	kvm_s390_get_machine() populates the facility bitmap by copying bytes
	from the host results that are stored in a 256 byte array in the prefix
	page. The KVM code does use the size of the target buffer (2k), thus
	copying and exposing unrelated kernel memory (mostly machine check
	related logout data).

	Let's use the size of the source buffer instead. This is ok, as the
	target buffer will always be greater or equal than the source buffer as
	the KVM internal buffers (and thus S390_ARCH_FAC_LIST_SIZE_BYTE) cover
	the maximum possible size that is allowed by STFLE, which is 256
	doublewords. All structures are zero allocated so we can leave bytes
	256-2047 unchanged.

	Add a similar fix for kvm_arch_init_vm().

	Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
	[found with smatch]
	Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
	CC: stable@vger.kernel.org
	Acked-by: Cornelia Huck <cornelia.huck@de.ibm.com>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
	index 607ec91966c7..31fc6408b374 100644
	--- a/arch/s390/kvm/kvm-s390.c
	+++ b/arch/s390/kvm/kvm-s390.c
	@@ -906,7 +906,7 @@ static int kvm_s390_get_machine(struct kvm kvm, struct kvm_device_attr attr)
	memcpy(&mach->fac_mask, kvm->arch.model.fac_mask,
	S390_ARCH_FAC_LIST_SIZE_BYTE);
	memcpy((unsigned long *)&mach->fac_list, S390_lowcore.stfle_fac_list,
	- S390_ARCH_FAC_LIST_SIZE_BYTE);
	+ sizeof(S390_lowcore.stfle_fac_list));
	if (copy_to_user((void __user )attr->addr, mach, sizeof(mach)))
	ret = -EFAULT;
	kfree(mach);
	@@ -1427,7 +1427,7 @@ int kvm_arch_init_vm(struct kvm *kvm, unsigned long type)

	/* Populate the facility mask initially. */
	memcpy(kvm->arch.model.fac_mask, S390_lowcore.stfle_fac_list,
	- S390_ARCH_FAC_LIST_SIZE_BYTE);
	+ sizeof(S390_lowcore.stfle_fac_list));
	for (i = 0; i < S390_ARCH_FAC_LIST_SIZE_U64; i++) {
	if (i < kvm_s390_fac_list_mask_size())
	kvm->arch.model.fac_mask[i] &= kvm_s390_fac_list_mask[i];
	--
	2.10.1