[PW_SID:1069010] RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()#1641
[PW_SID:1069010] RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()#1641linux-riscv-bot wants to merge 1 commit intoworkflow__riscv__fixesfrom
Conversation
When a guest initiates an SBI_EXT_PMU_COUNTER_CFG_MATCH call with ctr_base=0xfffffffffffffffe, ctr_mask=0xeb5f and flags=0x1 (SBI_PMU_CFG_FLAG_SKIP_MATCH), kvm_riscv_vcpu_pmu_ctr_cfg_match() first invokes kvm_pmu_validate_counter_mask() to verify whether ctr_base and ctr_mask are valid, by evaluating: !ctr_mask || (ctr_base + __fls(ctr_mask) >= kvm_pmu_num_counters(kvpmu)) With the above inputs, __fls(0xeb5f) equals 15, and adding 15 to 0xfffffffffffffffe causes an integer overflow, wrapping around to 13. Since 13 is less than kvm_pmu_num_counters(), the validation wrongly succeeds. Thereafter, since flags & SBI_PMU_CFG_FLAG_SKIP_MATCH is satisfied, the code evaluates: !test_bit(ctr_base + __ffs(ctr_mask), kvpmu->pmc_in_use) Here __ffs(0xeb5f) equals 0, so test_bit() receives 0xfffffffffffffffe as the bit index and attempts to access the corresponding element of the kvpmu->pmc_in_use, which results in an invalid memory access. This triggers the following Oops: Unable to handle kernel paging request at virtual address e3ebffff12abba89 generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 kvm_riscv_vcpu_pmu_ctr_cfg_match arch/riscv/kvm/vcpu_pmu.c:758 kvm_sbi_ext_pmu_handler arch/riscv/kvm/vcpu_sbi_pmu.c:49 kvm_riscv_vcpu_sbi_ecall arch/riscv/kvm/vcpu_sbi.c:608 kvm_riscv_vcpu_exit arch/riscv/kvm/vcpu_exit.c:240 The root cause is that kvm_pmu_validate_counter_mask() does not account for the case where ctr_base itself is out of range, allowing the subsequent addition to silently overflow and bypass the check. Fix this by explicitly validating ctr_base against kvm_pmu_num_counters() before performing the addition. This bug was found by fuzzing the KVM RISC-V PMU interface. Fixes: 0cb74b6 ("RISC-V: KVM: Implement perf support without sampling") Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com> Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn> Signed-off-by: Linux RISC-V bot <linux.riscv.bot@gmail.com>
|
Patch 1: "RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()" |
|
Patch 1: "RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()" |
|
Patch 1: "RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()" |
|
Patch 1: "RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()" |
|
Patch 1: "RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()" |
|
Patch 1: "RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()" |
|
Patch 1: "RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()" |
|
Patch 1: "RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()" |
|
Patch 1: "RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()" |
|
Patch 1: "RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()" |
|
Patch 1: "RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()" |
|
Patch 1: "RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()" |
2 participants
PR for series 1069010 applied to workflow__riscv__fixes
Name: RISC-V: KVM: Fix integer overflow in kvm_pmu_validate_counter_mask()
URL: https://patchwork.kernel.org/project/linux-riscv/list/?series=1069010
Version: 1