Re: UBSAN: shift-out-of-bounds in kvm_vcpu_after_set_cpuid

Subject: Re: UBSAN: shift-out-of-bounds in kvm_vcpu_after_set_cpuid
From: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Date: Tue, 12 Jan 2021 09:06:07 +0100
Cc: syzbot <syzbot+e87846c48bf72bc85311@xxxxxxxxxxxxxxxxxxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, "H . Peter Anvin" <hpa@xxxxxxxxx>, Joerg Roedel <joro@xxxxxxxxxx>, kvm list <kvm@xxxxxxxxxxxxxxx>, LKML <linux-kernel@xxxxxxxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, syzkaller-bugs <syzkaller-bugs@xxxxxxxxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>, Wanpeng Li <wanpengli@xxxxxxxxxxx>, the arch/x86 maintainers <x86@xxxxxxxxxx>
In-reply-to: <X/zYsnfXpd6DT34D@google.com>
References: <000000000000d5173d05b7097755@google.com> <CALMp9eSKrn0zcmSuOE6GFi400PMgK+yeypS7+prtwBckgdW0vQ@mail.gmail.com> <X/zYsnfXpd6DT34D@google.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0

On 12/01/21 00:01, Sean Christopherson wrote:

Perhaps cpuid_query_maxphyaddr() should just look at the low 5 bits of
CPUID.80000008H:EAX?

The low 6 bits I guess---yes, that would make sense and it would havealso fixed the bug.

(Nevertheless it's a good idea to make rsvd_bits more robust as well, asin the commit that Sean referenced.


Paolo

Follow-Ups:
- Re: UBSAN: shift-out-of-bounds in kvm_vcpu_after_set_cpuid
  - From: Sean Christopherson

References:
- UBSAN: shift-out-of-bounds in kvm_vcpu_after_set_cpuid
  - From: syzbot
- Re: UBSAN: shift-out-of-bounds in kvm_vcpu_after_set_cpuid
  - From: Jim Mattson
- Re: UBSAN: shift-out-of-bounds in kvm_vcpu_after_set_cpuid
  - From: Sean Christopherson