pending-5.1/kvm-nvmx-really-fix-the-size-checks-on-kvm_set_neste.patch

   1 From 7f4d21ecf7d8552e66f374576e45f5d20c4cde45 Mon Sep 17 00:00:00 2001
   2 From: Paolo Bonzini <pbonzini@redhat.com>
   3 Date: Mon, 20 May 2019 11:55:36 +0200
   4 Subject: KVM: nVMX: really fix the size checks on KVM_SET_NESTED_STATE
   5
   6 [ Upstream commit db80927ea1977a845230a161df643b48fd1e1ea4 ]
   7
   8 The offset for reading the shadow VMCS is sizeof(*kvm_state)+VMCS12_SIZE,
   9 so the correct size must be that plus sizeof(*vmcs12).  This could lead
  10 to KVM reading garbage data from userspace and not reporting an error,
  11 but is otherwise not sensitive.
  12
  13 Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  14 Signed-off-by: Sasha Levin <sashal@kernel.org>
  15 ---
  16  arch/x86/kvm/vmx/nested.c | 2 +-
  17  1 file changed, 1 insertion(+), 1 deletion(-)
  18
  19 diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
  20 index 8f6f69c26c35..5fa0c17d0b41 100644
  21 --- a/arch/x86/kvm/vmx/nested.c
  22 +++ b/arch/x86/kvm/vmx/nested.c
  23 @@ -5467,7 +5467,7 @@ static int vmx_set_nested_state(struct kvm_vcpu *vcpu,
  24             vmcs12->vmcs_link_pointer != -1ull) {
  25                 struct vmcs12 *shadow_vmcs12 = get_shadow_vmcs12(vcpu);
  26
  27 -               if (kvm_state->size < sizeof(*kvm_state) + 2 * sizeof(*vmcs12))
  28 +               if (kvm_state->size < sizeof(*kvm_state) + VMCS12_SIZE + sizeof(*vmcs12))
  29                         return -EINVAL;
  30
  31                 if (copy_from_user(shadow_vmcs12,
  32 --
  33 2.20.1
  34