+-- On Wed, 23 Nov 2016, Paolo Bonzini wrote --+ | On 23/11/2016 21:15, Radim Krčmář wrote: | > KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be | > bigger that the maximal number of VCPUs, resulting in out-of-bounds | > access. | > | > Found by syzkaller: | > | > BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr [...] | > Write of size 1 by task a.out/27101 | > CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49 | > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 | > [...] | > Call Trace: | > [...] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905 | > [...] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495 | > [...] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86 | > [...] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360 | > [...] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222 | > [...] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235 | > [...] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670 | > [...] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668 | > [...] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999 | > [...] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3099 | | Prasad, this needs a CVE. Yes, I'm processing it. Thank you so much for CC'ing. Thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
