Commit 4274c587 authored Jun 12, 2024 by Oliver Upton Committed by Liu Shixin Jun 12, 2024

KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr()

stable inclusion
from stable-v5.10.217
commit 4404465a1bee3607ad90a4c5f9e16dfd75b85728
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9UOQA
CVE: CVE-2024-36953

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4404465a1bee3607ad90a4c5f9e16dfd75b85728



--------------------------------

[ Upstream commit 6ddb4f372fc63210034b903d96ebbeb3c7195adb ]

vgic_v2_parse_attr() is responsible for finding the vCPU that matches
the user-provided CPUID, which (of course) may not be valid. If the ID
is invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled
gracefully.

Similar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id()
actually returns something and fail the ioctl if not.

Cc: stable@vger.kernel.org
Fixes: 7d450e28 ("KVM: arm/arm64: vgic-new: Add userland access to VGIC dist registers")
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Reviewed-by: Alexander Potapenko <glider@google.com>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20240424173959.3776798-2-oliver.upton@linux.dev


Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Liu Shixin <liushixin2@huawei.com>

parent 466d01de

arch/arm64/kvm/vgic/vgic-kvm-device.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -284,12 +284,12 @@ int kvm_register_vgic_device(unsigned long type)
		int vgic_v2_parse_attr(struct kvm_device dev, struct kvm_device_attr attr,
		struct vgic_reg_attr *reg_attr)
		{
		int cpuid;
		int cpuid = FIELD_GET(KVM_DEV_ARM_VGIC_CPUID_MASK, attr->attr);

		cpuid = FIELD_GET(KVM_DEV_ARM_VGIC_CPUID_MASK, attr->attr);

		reg_attr->vcpu = kvm_get_vcpu_by_id(dev->kvm, cpuid);
		reg_attr->addr = attr->attr & KVM_DEV_ARM_VGIC_OFFSET_MASK;
		reg_attr->vcpu = kvm_get_vcpu_by_id(dev->kvm, cpuid);
		if (!reg_attr->vcpu)
		return -EINVAL;

		return 0;
		}