KVM: x86: smm: number of GPRs in the SMRAM image depends on the image format

commit 696db303e54f7352623d9f640e6c51d8fa9d5588 upstream.

On 64 bit host, if the guest doesn't have X86_FEATURE_LM, KVM will
access 16 gprs to 32-bit smram image, causing out-ouf-bound ram
access.

On 32 bit host, the rsm_load_state_64/enter_smm_save_state_64
is compiled out, thus access overflow can't happen.

Fixes: b443183a25ab61 ("KVM: x86: Reduce the number of emulator GPRs to '8' for 32-bit KVM")
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20221025124741.228045-15-mlevitsk@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 883e380e5801d5916e78a67fcb289551b3656555..d4b746de623e0364722791c2a76f48edc5f70100 100644 (file)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -2430,7 +2430,7 @@ static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt,
        ctxt->eflags =             GET_SMSTATE(u32, smstate, 0x7ff4) | X86_EFLAGS_FIXED;
        ctxt->_eip =               GET_SMSTATE(u32, smstate, 0x7ff0);
 
-       for (i = 0; i < NR_EMULATOR_GPRS; i++)
+       for (i = 0; i < 8; i++)
                *reg_write(ctxt, i) = GET_SMSTATE(u32, smstate, 0x7fd0 + i * 4);
 
        val = GET_SMSTATE(u32, smstate, 0x7fcc);
@@ -2487,7 +2487,7 @@ static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt,
        u16 selector;
        int i, r;
 
-       for (i = 0; i < NR_EMULATOR_GPRS; i++)
+       for (i = 0; i < 16; i++)
                *reg_write(ctxt, i) = GET_SMSTATE(u64, smstate, 0x7ff8 - i * 8);
 
        ctxt->_eip   = GET_SMSTATE(u64, smstate, 0x7f78);