the patch fixed the oob vulnerability when i = 79, but maybe the patch introduces an infinite loop, if i = 79, then j = 0, the do-while loop use cpuid_entries[0-78] to compare cpuid_entries[79], maybe fall into infinite loop. Kind regards moguofang -----邮件原件----- 发件人: Wanpeng Li [mailto:kernellwp@xxxxxxxxx] 发送时间: 2017年6月7日 16:32 收件人: Moguofang (Dennis mo) 抄送: kvm@xxxxxxxxxxxxxxx; Zhouyu (Axis Zhou, ICSL) 主题: Re: KVM vulnerability report about cpuid instruction 2017-06-07 15:09 GMT+08:00 Moguofang (Dennis mo) <moguofang@xxxxxxxxxx>: > Hello! > A new vulnerability discover by me. Could you test something like this? --------------------------->8------------------------------------------- --------------------------->------------------ Signed-off-by: Wanpeng Li <wanpeng.li@xxxxxxxxxxx> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index a181ae7..b927a42 100644 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -779,19 +779,20 @@ int kvm_dev_ioctl_get_cpuid(struct kvm_cpuid2 *cpuid, static int move_to_next_stateful_cpuid_entry(struct kvm_vcpu *vcpu, int i) { + int j = i, nent = vcpu->arch.cpuid_nent; struct kvm_cpuid_entry2 *e = &vcpu->arch.cpuid_entries[i]; - int j, nent = vcpu->arch.cpuid_nent; + struct kvm_cpuid_entry2 *ej; e->flags &= ~KVM_CPUID_FLAG_STATE_READ_NEXT; /* when no next entry is found, the current entry[i] is reselected */ - for (j = i + 1; ; j = (j + 1) % nent) { - struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j]; - if (ej->function == e->function) { - ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT; - return j; - } - } - return 0; /* silence gcc, even though control never reaches here */ + do { + j = (j + 1) % nent; + ej = &vcpu->arch.cpuid_entries[j]; + } while(ej->function != e->function); + + ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT; + + return j; } /* find an entry with matching function, matching index (if needed), and that