Hello Guang Zeng,
The patch 16786d406fe8: "kvm: x86: Add support for getting/setting
expanded xstate buffer" from Jan 5, 2022, leads to the following
Smatch static checker warning:
arch/x86/kvm/x86.c:5411 kvm_arch_vcpu_ioctl()
warn: is memdup() '0-s32max' large enough for 'struct kvm_xsave'
arch/x86/kvm/x86.c
5390 case KVM_GET_XSAVE: {
5391 r = -EINVAL;
5392 if (vcpu->arch.guest_fpu.uabi_size > sizeof(struct kvm_xsave))
5393 break;
5394
5395 u.xsave = kzalloc(sizeof(struct kvm_xsave), GFP_KERNEL_ACCOUNT);
5396 r = -ENOMEM;
5397 if (!u.xsave)
5398 break;
5399
5400 kvm_vcpu_ioctl_x86_get_xsave(vcpu, u.xsave);
5401
5402 r = -EFAULT;
5403 if (copy_to_user(argp, u.xsave, sizeof(struct kvm_xsave)))
5404 break;
5405 r = 0;
5406 break;
5407 }
5408 case KVM_SET_XSAVE: {
5409 int size = vcpu->arch.guest_fpu.uabi_size;
5410
There is no check whether size >= sizeof(struct kvm_xsave).
--> 5411 u.xsave = memdup_user(argp, size);
5412 if (IS_ERR(u.xsave)) {
5413 r = PTR_ERR(u.xsave);
5414 goto out_nofree;
5415 }
5416
5417 r = kvm_vcpu_ioctl_x86_set_xsave(vcpu, u.xsave);
So this can read out of bounds.
5418 break;
5419 }
5420
5421 case KVM_GET_XSAVE2: {
5422 int size = vcpu->arch.guest_fpu.uabi_size;
5423
5424 u.xsave = kzalloc(size, GFP_KERNEL_ACCOUNT);
5425 r = -ENOMEM;
5426 if (!u.xsave)
5427 break;
5428
5429 kvm_vcpu_ioctl_x86_get_xsave2(vcpu, u.buffer, size);
5430
5431 r = -EFAULT;
5432 if (copy_to_user(argp, u.xsave, size))
5433 break;
5434
5435 r = 0;
5436 break;
5437 }
5438
regards,
dan carpenter
