On Wed, Oct 26, 2022, Christian A. Ehrhardt wrote:
> Syzkaller reports a stack-out-of-bounds access when
> emulating RSM (return from system management mode).
>
> Assume that a 64-bit capable host (i.e. CONFIG_X86_64 is true)
> emulates a guest cpu that does not support 64-bit mode. In this case
> RSM must use the 32-bit version of the SMM state map which only
> contains space for 8 general purpose registers.
> However, NR_EMULATOR_GPRS is defined to 16 due to CONFIG_X86_64.
>
> As a result rsm_load_state_32 will try to restore 16
> registers from the state save area which only contains 8
> registers. Manual offset calculation easily shows that
> memory beyond the end of the smstate buffer is accessed in
> this case.
>
> Revert the relevant parts of b443183a25ab and use explicit constants
> for the number of general purpose registers, again. This
> also ensures that the code in rsm_load_state_{32,64} matches
> what is done in enter_smm_save_state_{32,64}.
>
> Fixes: b443183a25ab ("KVM: x86: Reduce the number of emulator GPRs to '8' for 32-bit KVM")
> Signed-off-by: Christian A. Ehrhardt <lk@xxxxxxx>
A fix has already been posted[*], we've just been abysmally slow getting it merged.
I'll make sure it gets queued up for 6.1.
Thanks!
[*] https://lore.kernel.org/all/20221025124741.228045-15-mlevitsk@xxxxxxxxxx
