On 11/07/2016 08:07, Yang Zhang wrote: >> >> mutex_lock(&kvm->arch.apic_map_lock); >> >> + kvm_for_each_vcpu(i, vcpu, kvm) >> + if (kvm_apic_present(vcpu)) >> + max_id = max(max_id, kvm_apic_id(vcpu->arch.apic)); >> + >> + new = kzalloc(sizeof(struct kvm_apic_map) + >> + sizeof(struct kvm_lapic *) * (max_id + 1), >> GFP_KERNEL); >> + > > I think this may cause the host runs out of memory if a malicious guest > did follow thing: > 1. vcpu a is doing apic map recalculation. > 2. vcpu b write the apic id with 0xff > 3. then vcpu b enable the x2apic: in kvm_lapic_set_base(), we will set > apic_base to new value before reset the apic id. > 4. vcpu a may see the x2apic enabled in vcpu b plus an old apic > id(0xff), and max_id will become (0xff >> 24). The bug is not really here but in patch 6---but you're right nevertheless! I guess the easiest solution is to replace kvm_apic_id with a field in struct kvm_lapic, which is already shifted right by 24 in xAPIC mode. It can be added easily in patch 6 itself, it's like 3 new lines of code because all reads and writes go through kvm_apic_id and kvm_apic_set_id; the kvm_apic_id wrapper can be kept for simplicity. Thanks again! Paolo -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
