On Fri, Apr 17, 2020 at 09:24:10PM +0800, sam hao wrote:
> Hi,
>
> I've found possible out of bounds access in search_memslots() in kvm_host.h.
...
> if (start < slots->used_slots && gfn >= memslots[start].base_gfn &&
> gfn < memslots[start].base_gfn + memslots[start].npages) {
> atomic_set(&slots->lru_slot, start);
> return &memslots[start];
> }
Fixed (with this exact check) by commit b6467ab142b7 ("KVM: Check validity
of resolved slot when searching memslots"). Syzbot found this one very
quickly :-) Thanks!
