Re: [PATCH v3 02/12] KVM: x86: Introduce allow list for MSR emulation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Aaron,

url:    https://github.com/0day-ci/linux/commits/Aaron-Lewis/Allow-userspace-to-manage-MSRs/20200819-051903
base:   https://git.kernel.org/pub/scm/virt/kvm/kvm.git linux-next
config: x86_64-randconfig-m001-20200827 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-15) 9.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

smatch warnings:
arch/x86/kvm/x86.c:5248 kvm_vm_ioctl_add_msr_allowlist() error: 'bitmap' dereferencing possible ERR_PTR()

# https://github.com/0day-ci/linux/commit/107c87325cf461b7b1bd07bb6ddbaf808a8d8a2a
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Aaron-Lewis/Allow-userspace-to-manage-MSRs/20200819-051903
git checkout 107c87325cf461b7b1bd07bb6ddbaf808a8d8a2a
vim +/bitmap +5248 arch/x86/kvm/x86.c

107c87325cf461 Aaron Lewis 2020-08-18  5181  static int kvm_vm_ioctl_add_msr_allowlist(struct kvm *kvm, void __user *argp)
107c87325cf461 Aaron Lewis 2020-08-18  5182  {
107c87325cf461 Aaron Lewis 2020-08-18  5183  	struct msr_bitmap_range *ranges = kvm->arch.msr_allowlist_ranges;
107c87325cf461 Aaron Lewis 2020-08-18  5184  	struct kvm_msr_allowlist __user *user_msr_allowlist = argp;
107c87325cf461 Aaron Lewis 2020-08-18  5185  	struct msr_bitmap_range range;
107c87325cf461 Aaron Lewis 2020-08-18  5186  	struct kvm_msr_allowlist kernel_msr_allowlist;
107c87325cf461 Aaron Lewis 2020-08-18  5187  	unsigned long *bitmap = NULL;
107c87325cf461 Aaron Lewis 2020-08-18  5188  	size_t bitmap_size;
107c87325cf461 Aaron Lewis 2020-08-18  5189  	int r = 0;
107c87325cf461 Aaron Lewis 2020-08-18  5190  
107c87325cf461 Aaron Lewis 2020-08-18  5191  	if (copy_from_user(&kernel_msr_allowlist, user_msr_allowlist,
107c87325cf461 Aaron Lewis 2020-08-18  5192  			   sizeof(kernel_msr_allowlist))) {
107c87325cf461 Aaron Lewis 2020-08-18  5193  		r = -EFAULT;
107c87325cf461 Aaron Lewis 2020-08-18  5194  		goto out;
107c87325cf461 Aaron Lewis 2020-08-18  5195  	}
107c87325cf461 Aaron Lewis 2020-08-18  5196  
107c87325cf461 Aaron Lewis 2020-08-18  5197  	bitmap_size = BITS_TO_LONGS(kernel_msr_allowlist.nmsrs) * sizeof(long);
                                                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^n
On 32 bit systems the BITS_TO_LONGS() can integer overflow if
kernel_msr_allowlist.nmsrs is larger than ULONG_MAX - bits_per_long.  In
that case bitmap_size is zero.

107c87325cf461 Aaron Lewis 2020-08-18  5198  	if (bitmap_size > KVM_MSR_ALLOWLIST_MAX_LEN) {
107c87325cf461 Aaron Lewis 2020-08-18  5199  		r = -EINVAL;
107c87325cf461 Aaron Lewis 2020-08-18  5200  		goto out;
107c87325cf461 Aaron Lewis 2020-08-18  5201  	}
107c87325cf461 Aaron Lewis 2020-08-18  5202  
107c87325cf461 Aaron Lewis 2020-08-18  5203  	bitmap = memdup_user(user_msr_allowlist->bitmap, bitmap_size);
107c87325cf461 Aaron Lewis 2020-08-18  5204  	if (IS_ERR(bitmap)) {
107c87325cf461 Aaron Lewis 2020-08-18  5205  		r = PTR_ERR(bitmap);
107c87325cf461 Aaron Lewis 2020-08-18  5206  		goto out;
                                                        ^^^^^^^^
"out" is always a vague label name.  It's better style to return
directly instead of doing a complicated no-op.

	if (IS_ERR(bitmap))
		return PTR_ERR(bitmap);

107c87325cf461 Aaron Lewis 2020-08-18  5207  	}
107c87325cf461 Aaron Lewis 2020-08-18  5208  
107c87325cf461 Aaron Lewis 2020-08-18  5209  	range = (struct msr_bitmap_range) {
107c87325cf461 Aaron Lewis 2020-08-18  5210  		.flags = kernel_msr_allowlist.flags,
107c87325cf461 Aaron Lewis 2020-08-18  5211  		.base = kernel_msr_allowlist.base,
107c87325cf461 Aaron Lewis 2020-08-18  5212  		.nmsrs = kernel_msr_allowlist.nmsrs,
107c87325cf461 Aaron Lewis 2020-08-18  5213  		.bitmap = bitmap,

In case of overflow then "bitmap" is 0x16 and .nmsrs is a very high
number.

107c87325cf461 Aaron Lewis 2020-08-18  5214  	};
107c87325cf461 Aaron Lewis 2020-08-18  5215  
107c87325cf461 Aaron Lewis 2020-08-18  5216  	if (range.flags & ~(KVM_MSR_ALLOW_READ | KVM_MSR_ALLOW_WRITE)) {
107c87325cf461 Aaron Lewis 2020-08-18  5217  		r = -EINVAL;
107c87325cf461 Aaron Lewis 2020-08-18  5218  		goto out;
107c87325cf461 Aaron Lewis 2020-08-18  5219  	}
107c87325cf461 Aaron Lewis 2020-08-18  5220  
107c87325cf461 Aaron Lewis 2020-08-18  5221  	/*
107c87325cf461 Aaron Lewis 2020-08-18  5222  	 * Protect from concurrent calls to this function that could trigger
107c87325cf461 Aaron Lewis 2020-08-18  5223  	 * a TOCTOU violation on kvm->arch.msr_allowlist_ranges_count.
107c87325cf461 Aaron Lewis 2020-08-18  5224  	 */
107c87325cf461 Aaron Lewis 2020-08-18  5225  	mutex_lock(&kvm->lock);
107c87325cf461 Aaron Lewis 2020-08-18  5226  
107c87325cf461 Aaron Lewis 2020-08-18  5227  	if (kvm->arch.msr_allowlist_ranges_count >=
107c87325cf461 Aaron Lewis 2020-08-18  5228  	    ARRAY_SIZE(kvm->arch.msr_allowlist_ranges)) {
107c87325cf461 Aaron Lewis 2020-08-18  5229  		r = -E2BIG;
107c87325cf461 Aaron Lewis 2020-08-18  5230  		goto out_locked;
107c87325cf461 Aaron Lewis 2020-08-18  5231  	}
107c87325cf461 Aaron Lewis 2020-08-18  5232  
107c87325cf461 Aaron Lewis 2020-08-18  5233  	if (msr_range_overlaps(kvm, &range)) {
107c87325cf461 Aaron Lewis 2020-08-18  5234  		r = -EINVAL;
107c87325cf461 Aaron Lewis 2020-08-18  5235  		goto out_locked;
107c87325cf461 Aaron Lewis 2020-08-18  5236  	}
107c87325cf461 Aaron Lewis 2020-08-18  5237  
107c87325cf461 Aaron Lewis 2020-08-18  5238  	/* Everything ok, add this range identifier to our global pool */
107c87325cf461 Aaron Lewis 2020-08-18  5239  	ranges[kvm->arch.msr_allowlist_ranges_count] = range;
107c87325cf461 Aaron Lewis 2020-08-18  5240  	/* Make sure we filled the array before we tell anyone to walk it */
107c87325cf461 Aaron Lewis 2020-08-18  5241  	smp_wmb();
107c87325cf461 Aaron Lewis 2020-08-18  5242  	kvm->arch.msr_allowlist_ranges_count++;
107c87325cf461 Aaron Lewis 2020-08-18  5243  
107c87325cf461 Aaron Lewis 2020-08-18  5244  out_locked:
107c87325cf461 Aaron Lewis 2020-08-18  5245  	mutex_unlock(&kvm->lock);
107c87325cf461 Aaron Lewis 2020-08-18  5246  out:
107c87325cf461 Aaron Lewis 2020-08-18  5247  	if (r)
107c87325cf461 Aaron Lewis 2020-08-18 @5248  		kfree(bitmap);
107c87325cf461 Aaron Lewis 2020-08-18  5249  
107c87325cf461 Aaron Lewis 2020-08-18  5250  	return r;
107c87325cf461 Aaron Lewis 2020-08-18  5251  }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx

Attachment: .config.gz
Description: application/gzip

[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux