summaryrefslogtreecommitdiffstats
path: root/arch
diff options
context:
space:
mode:
authorJim Mattson <jmattson@google.com>2016-10-26 17:38:38 +0200
committerPaolo Bonzini <pbonzini@redhat.com>2016-10-27 12:15:27 +0200
commit85c856b39b479dde410ddd09df1da745343010c9 (patch)
tree54e99503fc7d4abc2d6b573099566428c864c0d0 /arch
parentKVM: document lock orders (diff)
downloadlinux-85c856b39b479dde410ddd09df1da745343010c9.tar.xz
linux-85c856b39b479dde410ddd09df1da745343010c9.zip
kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types
Bitwise shifts by amounts greater than or equal to the width of the left operand are undefined. A malicious guest can exploit this to crash a 32-bit host, due to the BUG_ON(1)'s in handle_{invept,invvpid}. Signed-off-by: Jim Mattson <jmattson@google.com> Message-Id: <1477496318-17681-1-git-send-email-jmattson@google.com> [Change 1UL to 1, to match the range check on the shift count. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'arch')
-rw-r--r--arch/x86/kvm/vmx.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index cf1b16dbc98a..74a4df993a51 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7659,7 +7659,7 @@ static int handle_invept(struct kvm_vcpu *vcpu)
types = (vmx->nested.nested_vmx_ept_caps >> VMX_EPT_EXTENT_SHIFT) & 6;
- if (!(types & (1UL << type))) {
+ if (type >= 32 || !(types & (1 << type))) {
nested_vmx_failValid(vcpu,
VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
skip_emulated_instruction(vcpu);
@@ -7722,7 +7722,7 @@ static int handle_invvpid(struct kvm_vcpu *vcpu)
types = (vmx->nested.nested_vmx_vpid_caps >> 8) & 0x7;
- if (!(types & (1UL << type))) {
+ if (type >= 32 || !(types & (1 << type))) {
nested_vmx_failValid(vcpu,
VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
skip_emulated_instruction(vcpu);