evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/virt/kvm
History
Paolo Bonzini 2cb77b0ad4 KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi 
commit c622a3c21ede892e370b56e1ceb9eb28f8bbda6b upstream.

Found by syzkaller:

    BUG: unable to handle kernel NULL pointer dereference at 0000000000000120
    IP: [<ffffffffa0797202>] kvm_irq_map_gsi+0x12/0x90 [kvm]
    PGD 6f80b067 PUD b6535067 PMD 0
    Oops: 0000 [#1] SMP
    CPU: 3 PID: 4988 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1
    [...]
    Call Trace:
     [<ffffffffa0795f62>] irqfd_update+0x32/0xc0 [kvm]
     [<ffffffffa0796c7c>] kvm_irqfd+0x3dc/0x5b0 [kvm]
     [<ffffffffa07943f4>] kvm_vm_ioctl+0x164/0x6f0 [kvm]
     [<ffffffff81241648>] do_vfs_ioctl+0x298/0x480
     [<ffffffff812418a9>] SyS_ioctl+0x79/0x90
     [<ffffffff817a1062>] tracesys_phase2+0x84/0x89
    Code: b5 71 a7 e0 5b 41 5c 41 5d 5d f3 c3 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 8b 8f 10 2e 00 00 31 c0 48 89 e5 <39> 91 20 01 00 00 76 6a 48 63 d2 48 8b 94 d1 28 01 00 00 48 85
    RIP  [<ffffffffa0797202>] kvm_irq_map_gsi+0x12/0x90 [kvm]
     RSP <ffff8800926cbca8>
    CR2: 0000000000000120

Testcase:

    #include <unistd.h>
    #include <sys/syscall.h>
    #include <string.h>
    #include <stdint.h>
    #include <linux/kvm.h>
    #include <fcntl.h>
    #include <sys/ioctl.h>

    long r[26];

    int main()
    {
        memset(r, -1, sizeof(r));
        r[2] = open("/dev/kvm", 0);
        r[3] = ioctl(r[2], KVM_CREATE_VM, 0);

        struct kvm_irqfd ifd;
        ifd.fd = syscall(SYS_eventfd2, 5, 0);
        ifd.gsi = 3;
        ifd.flags = 2;
        ifd.resamplefd = ifd.fd;
        r[25] = ioctl(r[3], KVM_IRQFD, &ifd);
        return 0;
    }

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-06-24 10:18:18 -07:00
..
arm KVM: arm/arm64: Handle forward time correction gracefully 2016-05-04 14:48:40 -07:00
async_pf.c KVM: async_pf: do not warn on page allocation failures 2016-03-03 15:07:29 -08:00
async_pf.h
coalesced_mmio.c
coalesced_mmio.h KVM: make the declaration of functions within 80 characters 2015-09-14 18:43:19 +02:00
eventfd.c KVM: x86: merge kvm_arch_set_irq with kvm_set_msi_inatomic 2015-11-04 16:24:35 +01:00
irqchip.c KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi 2016-06-24 10:18:18 -07:00
Kconfig KVM: don't pointlessly leave KVM_COMPAT=y in non-KVM configs 2015-11-04 16:24:30 +01:00
kvm_main.c KVM: fix spin_lock_init order on x86 2016-04-12 09:08:34 -07:00
vfio.c KVM: count number of assigned devices 2015-07-10 13:25:26 +02:00
vfio.h