evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/arch/arm
History
Wanpeng Li eb91461daa KVM: Fix stack-out-of-bounds read in write_mmio 
commit e39d200fa5bf5b94a0948db0dae44c1b73b84a56 upstream.

Reported by syzkaller:

  BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
  Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298

  CPU: 6 PID: 32298 Comm: syz-executor Tainted: G           OE    4.15.0-rc2+ #18
  Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
  Call Trace:
   dump_stack+0xab/0xe1
   print_address_description+0x6b/0x290
   kasan_report+0x28a/0x370
   write_mmio+0x11e/0x270 [kvm]
   emulator_read_write_onepage+0x311/0x600 [kvm]
   emulator_read_write+0xef/0x240 [kvm]
   emulator_fix_hypercall+0x105/0x150 [kvm]
   em_hypercall+0x2b/0x80 [kvm]
   x86_emulate_insn+0x2b1/0x1640 [kvm]
   x86_emulate_instruction+0x39a/0xb90 [kvm]
   handle_exception+0x1b4/0x4d0 [kvm_intel]
   vcpu_enter_guest+0x15a0/0x2640 [kvm]
   kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
   kvm_vcpu_ioctl+0x479/0x880 [kvm]
   do_vfs_ioctl+0x142/0x9a0
   SyS_ioctl+0x74/0x80
   entry_SYSCALL_64_fastpath+0x23/0x9a

The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
to the guest memory, however, write_mmio tracepoint always prints 8 bytes
through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
leaks 5 bytes from the kernel stack (CVE-2017-17741).  This patch fixes
it by just accessing the bytes which we operate on.

Before patch:

syz-executor-5567  [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f

After patch:

syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
Tested-by: Marc Zyngier <marc.zyngier@arm.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Christoffer Dall <christoffer.dall@linaro.org>
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-17 09:35:24 +01:00
..
boot ARM: dts: am335x-evmsk: adjust mmc2 param to allow suspend 2017-12-25 14:22:13 +01:00
common ARM: sa1111: fix pcmcia suspend/resume 2016-10-07 15:23:44 +02:00
configs ARM: omap2plus_defconfig: Fix probe errors on UARTs 5 and 6 2017-11-15 17:13:09 +01:00
crypto arm: crypto: reduce priority of bit-sliced AES cipher 2017-11-21 09:21:18 +01:00
firmware
include ARM: Hide finish_arch_post_lock_switch() from modules 2017-12-25 14:22:09 +01:00
kernel ARM: avoid faulting on qemu 2017-12-16 10:33:50 +01:00
kvm KVM: Fix stack-out-of-bounds read in write_mmio 2018-01-17 09:35:24 +01:00
lib ARM: 8658/1: uaccess: fix zeroing of 64-bit get_user() 2017-02-23 17:43:09 +01:00
mach-alpine
mach-asm9260
mach-at91 ARM: remove duplicate 'const' annotations' 2017-10-08 10:14:20 +02:00
mach-axxia
mach-bcm ARM: remove duplicate 'const' annotations' 2017-10-08 10:14:20 +02:00
mach-berlin arm: berlin: add CPU hotplug support 2015-10-15 21:14:28 +02:00
mach-clps711x
mach-cns3xxx ARM: remove duplicate 'const' annotations' 2017-10-08 10:14:20 +02:00
mach-davinci ARM: davinci: da850: don't add emac clock to lookup table twice 2017-01-12 11:22:43 +01:00
mach-digicolor ARM: digicolor: select pinctrl/gpio driver 2015-10-15 22:27:30 +02:00
mach-dove ARM: dove: Fix legacy get_irqnr_and_base 2015-11-25 14:59:12 +00:00
mach-ebsa110
mach-efm32
mach-ep93xx
mach-exynos ARM: EXYNOS: Properly skip unitialized parent clock in power domain on 2016-05-11 11:21:14 +02:00
mach-footbridge
mach-gemini ARM: gemini: remove unnecessary mdio-gpio includes 2015-10-21 19:50:43 -07:00
mach-highbank
mach-hisi
mach-imx ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx 2016-09-24 10:07:39 +02:00
mach-integrator
mach-iop13xx
mach-iop32x
mach-iop33x
mach-ixp4xx ARM: ixp4xx: fix read{b,w,l} return types 2015-12-01 23:45:30 +01:00
mach-keystone
mach-ks8695
mach-lpc18xx
mach-lpc32xx
mach-mediatek ARM: SoC platform updates for v4.4 2015-11-10 14:56:23 -08:00
mach-meson
mach-mmp
mach-moxart
mach-mv78xx0
mach-mvebu ARM: mvebu: fix HW I/O coherency related deadlocks 2016-07-27 09:47:39 -07:00
mach-mxs
mach-netx
mach-nomadik
mach-nspire
mach-omap1 ARM: OMAP1: DMA: Correct the number of logical channels 2017-12-09 18:42:41 +01:00
mach-omap2 ARM: OMAP2+: Release device node after it is no longer needed. 2017-12-16 10:33:51 +01:00
mach-orion5x ARM: orion5x: Fix legacy get_irqnr_and_base 2015-11-25 15:01:00 +00:00
mach-picoxcell
mach-prima2 ARM: prima2: always enable reset controller 2016-05-04 14:48:53 -07:00
mach-pxa ARM: pxa: Don't rely on public mmc header to include leds.h 2017-11-08 10:06:29 +01:00
mach-qcom ARM: Remove __ref on hotplug cpu die path 2015-10-22 09:55:03 -07:00
mach-realview net: smc91x: fix SMC accesses 2016-09-30 10:18:37 +02:00
mach-rockchip
mach-rpc
mach-s3c24xx cpufreq: s3c24xx: Do not mark s3c2410_plls_add as __init 2015-11-27 10:10:32 +09:00
mach-s3c64xx ASoC: samsung: pass DMA channels as pointers 2016-04-12 09:08:32 -07:00
mach-s5pv210
mach-sa1100 ARM: sa1100: clear reset status prior to reboot 2016-10-07 15:23:43 +02:00
mach-shmobile ARM: shmobile: fix regulator quirk for Gen2 2016-10-07 15:23:43 +02:00
mach-socfpga ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel 2016-05-11 11:21:14 +02:00
mach-spear ARM: remove duplicate 'const' annotations' 2017-10-08 10:14:20 +02:00
mach-sti
mach-stm32
mach-sunxi ARM: SoC platform updates for v4.4 2015-11-10 14:56:23 -08:00
mach-tegra ARM: SoC platform updates for v4.4 2015-11-10 14:56:23 -08:00
mach-u300 spi: Updates for v4.4 2015-11-05 13:15:12 -08:00
mach-uniphier ARM: uniphier: rework SMP operations to use trampoline code 2015-10-27 09:20:53 +09:00
mach-ux500 ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation 2017-01-26 08:23:49 +01:00
mach-versatile
mach-vexpress ARM: Remove __ref on hotplug cpu die path 2015-10-22 09:55:03 -07:00
mach-vt8500
mach-w90x900
mach-zx ARM: zx: only build power domain code when CONFIG_PM=y 2015-11-19 16:16:45 +01:00
mach-zynq ARM: zynq: Reserve correct amount of non-DMA RAM 2017-01-15 13:41:36 +01:00
mm ARM: dma-mapping: disallow dma_get_sgtable() for non-kernel managed memory 2017-12-25 14:22:13 +01:00
net ARM: net: bpf: fix zero right shift 2016-01-06 01:32:09 -05:00
nwfpe
oprofile
plat-iop
plat-omap
plat-orion mvebu fixes for 4.3 (part 1) 2015-10-14 17:10:55 +02:00
plat-pxa ARM: pxa: add the number of DMA requestor lines 2017-10-05 09:41:48 +02:00
plat-samsung ASoC: samsung: pass DMA channels as pointers 2016-04-12 09:08:32 -07:00
plat-versatile
probes arm: kprobes: Align stack to 8-bytes in test code 2017-12-25 14:22:10 +01:00
tools
vdso ARM: 8449/1: fix bug in vdsomunge swab32 macro 2015-10-29 15:20:15 +00:00
vfp
xen swiotlb-xen: implement xen_swiotlb_dma_mmap callback 2017-10-05 09:41:48 +02:00
Kconfig ARM: 8454/1: OF implies OF_FLATTREE 2015-11-28 23:26:12 +00:00
Kconfig-nommu ARM: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM 2017-10-08 10:14:17 +02:00
Kconfig.debug ARM: debug-ll: fix BCM63xx entry for multiplatform 2016-03-03 15:07:08 -08:00
Makefile