[thirdparty/kernel/stable-queue.git] / pending-5.1 / kvm-nvmx-really-fix-the-size-checks-on-kvm_set_neste.patch

From 7f4d21ecf7d8552e66f374576e45f5d20c4cde45 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Mon, 20 May 2019 11:55:36 +0200
Subject: KVM: nVMX: really fix the size checks on KVM_SET_NESTED_STATE

[ Upstream commit db80927ea1977a845230a161df643b48fd1e1ea4 ]

The offset for reading the shadow VMCS is sizeof(*kvm_state)+VMCS12_SIZE,
so the correct size must be that plus sizeof(*vmcs12).  This could lead
to KVM reading garbage data from userspace and not reporting an error,
but is otherwise not sensitive.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/vmx/nested.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 8f6f69c26c35..5fa0c17d0b41 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -5467,7 +5467,7 @@ static int vmx_set_nested_state(struct kvm_vcpu *vcpu,
 	    vmcs12->vmcs_link_pointer != -1ull) {
 		struct vmcs12 *shadow_vmcs12 = get_shadow_vmcs12(vcpu);
 
-		if (kvm_state->size < sizeof(*kvm_state) + 2 * sizeof(*vmcs12))
+		if (kvm_state->size < sizeof(*kvm_state) + VMCS12_SIZE + sizeof(*vmcs12))
 			return -EINVAL;
 
 		if (copy_from_user(shadow_vmcs12,
-- 
2.20.1
Commit	Line	Data
fb43722c SL	1	From 7f4d21ecf7d8552e66f374576e45f5d20c4cde45 Mon Sep 17 00:00:00 2001
	2	From: Paolo Bonzini <pbonzini@redhat.com>
	3	Date: Mon, 20 May 2019 11:55:36 +0200
	4	Subject: KVM: nVMX: really fix the size checks on KVM_SET_NESTED_STATE
	5
	6	[ Upstream commit db80927ea1977a845230a161df643b48fd1e1ea4 ]
	7
	8	The offset for reading the shadow VMCS is sizeof(*kvm_state)+VMCS12_SIZE,
	9	so the correct size must be that plus sizeof(*vmcs12). This could lead
	10	to KVM reading garbage data from userspace and not reporting an error,
	11	but is otherwise not sensitive.
	12
	13	Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
	14	Signed-off-by: Sasha Levin <sashal@kernel.org>
	15	---
	16	arch/x86/kvm/vmx/nested.c \| 2 +-
	17	1 file changed, 1 insertion(+), 1 deletion(-)
	18
	19	diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
	20	index 8f6f69c26c35..5fa0c17d0b41 100644
	21	--- a/arch/x86/kvm/vmx/nested.c
	22	+++ b/arch/x86/kvm/vmx/nested.c
	23	@@ -5467,7 +5467,7 @@ static int vmx_set_nested_state(struct kvm_vcpu *vcpu,
	24	vmcs12->vmcs_link_pointer != -1ull) {
	25	struct vmcs12 *shadow_vmcs12 = get_shadow_vmcs12(vcpu);
	26
	27	- if (kvm_state->size < sizeof(kvm_state) + 2 sizeof(*vmcs12))
	28	+ if (kvm_state->size < sizeof(kvm_state) + VMCS12_SIZE + sizeof(vmcs12))
	29	return -EINVAL;
	30
	31	if (copy_from_user(shadow_vmcs12,
	32	--
	33	2.20.1
	34