aboutsummaryrefslogtreecommitdiffstats
path: root/arch/arm
diff options
context:
space:
mode:
authorAndre Przywara <andre.przywara@arm.com>2015-04-10 11:17:59 -0400
committerMarc Zyngier <marc.zyngier@arm.com>2015-04-22 10:42:24 -0400
commitfd1d0ddf2ae92fb3df42ed476939861806c5d785 (patch)
tree17846a251ba4f0a4a1a0c472c05042e25b21f1ad /arch/arm
parent0b3289ebc2d50cf5ab778215ed0b4075bbae6629 (diff)
KVM: arm/arm64: check IRQ number on userland injection
When userland injects a SPI via the KVM_IRQ_LINE ioctl we currently only check it against a fixed limit, which historically is set to 127. With the new dynamic IRQ allocation the effective limit may actually be smaller (64). So when now a malicious or buggy userland injects a SPI in that range, we spill over on our VGIC bitmaps and bytemaps memory. I could trigger a host kernel NULL pointer dereference with current mainline by injecting some bogus IRQ number from a hacked kvmtool: ----------------- .... DEBUG: kvm_vgic_inject_irq(kvm, cpu=0, irq=114, level=1) DEBUG: vgic_update_irq_pending(kvm, cpu=0, irq=114, level=1) DEBUG: IRQ #114 still in the game, writing to bytemap now... Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = ffffffc07652e000 [00000000] *pgd=00000000f658b003, *pud=00000000f658b003, *pmd=0000000000000000 Internal error: Oops: 96000006 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 1053 Comm: lkvm-msi-irqinj Not tainted 4.0.0-rc7+ #3027 Hardware name: FVP Base (DT) task: ffffffc0774e9680 ti: ffffffc0765a8000 task.ti: ffffffc0765a8000 PC is at kvm_vgic_inject_irq+0x234/0x310 LR is at kvm_vgic_inject_irq+0x30c/0x310 pc : [<ffffffc0000ae0a8>] lr : [<ffffffc0000ae180>] pstate: 80000145 ..... So this patch fixes this by checking the SPI number against the actual limit. Also we remove the former legacy hard limit of 127 in the ioctl code. Signed-off-by: Andre Przywara <andre.przywara@arm.com> Reviewed-by: Christoffer Dall <christoffer.dall@linaro.org> CC: <stable@vger.kernel.org> # 4.0, 3.19, 3.18 [maz: wrap KVM_ARM_IRQ_GIC_MAX with #ifndef __KERNEL__, as suggested by Christopher Covington] Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Diffstat (limited to 'arch/arm')
-rw-r--r--arch/arm/include/uapi/asm/kvm.h8
-rw-r--r--arch/arm/kvm/arm.c3
2 files changed, 8 insertions, 3 deletions
diff --git a/arch/arm/include/uapi/asm/kvm.h b/arch/arm/include/uapi/asm/kvm.h
index 2499867dd0d8..df3f60cb1168 100644
--- a/arch/arm/include/uapi/asm/kvm.h
+++ b/arch/arm/include/uapi/asm/kvm.h
@@ -195,8 +195,14 @@ struct kvm_arch_memory_slot {
195#define KVM_ARM_IRQ_CPU_IRQ 0 195#define KVM_ARM_IRQ_CPU_IRQ 0
196#define KVM_ARM_IRQ_CPU_FIQ 1 196#define KVM_ARM_IRQ_CPU_FIQ 1
197 197
198/* Highest supported SPI, from VGIC_NR_IRQS */ 198/*
199 * This used to hold the highest supported SPI, but it is now obsolete
200 * and only here to provide source code level compatibility with older
201 * userland. The highest SPI number can be set via KVM_DEV_ARM_VGIC_GRP_NR_IRQS.
202 */
203#ifndef __KERNEL__
199#define KVM_ARM_IRQ_GIC_MAX 127 204#define KVM_ARM_IRQ_GIC_MAX 127
205#endif
200 206
201/* One single KVM irqchip, ie. the VGIC */ 207/* One single KVM irqchip, ie. the VGIC */
202#define KVM_NR_IRQCHIPS 1 208#define KVM_NR_IRQCHIPS 1
diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
index 6f536451ab78..d9631ecddd56 100644
--- a/arch/arm/kvm/arm.c
+++ b/arch/arm/kvm/arm.c
@@ -671,8 +671,7 @@ int kvm_vm_ioctl_irq_line(struct kvm *kvm, struct kvm_irq_level *irq_level,
671 if (!irqchip_in_kernel(kvm)) 671 if (!irqchip_in_kernel(kvm))
672 return -ENXIO; 672 return -ENXIO;
673 673
674 if (irq_num < VGIC_NR_PRIVATE_IRQS || 674 if (irq_num < VGIC_NR_PRIVATE_IRQS)
675 irq_num > KVM_ARM_IRQ_GIC_MAX)
676 return -EINVAL; 675 return -EINVAL;
677 676
678 return kvm_vgic_inject_irq(kvm, 0, irq_num, level); 677 return kvm_vgic_inject_irq(kvm, 0, irq_num, level);