On Wed, Sep 18, 2019 at 04:01:42PM +0200, Paolo Bonzini wrote:
> From: Matt Delco <delco@xxxxxxxxxxxx>
>
> The first/last indexes are typically shared with a user app.
> The app can change the 'last' index that the kernel uses
> to store the next result. This change sanity checks the index
> before using it for writing to a potentially arbitrary address.
>
> This fixes CVE-2019-14821.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)")
> Signed-off-by: Matt Delco <delco@xxxxxxxxxxxx>
> Signed-off-by: Jim Mattson <jmattson@xxxxxxxxxx>
> Reported-by: syzbot+983c866c3dd6efa3662a@xxxxxxxxxxxxxxxxxxxxxxxxx
> [Use READ_ONCE. - Paolo]
> Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
> ---
> virt/kvm/coalesced_mmio.c | 19 +++++++++++--------
> 1 file changed, 11 insertions(+), 8 deletions(-)
Acked-by: Will Deacon <will@xxxxxxxxxx>
Will
