Commit 696db303 authored Oct 25, 2022 by Maxim Levitsky Committed by Paolo Bonzini Oct 28, 2022

KVM: x86: smm: number of GPRs in the SMRAM image depends on the image format



On 64 bit host, if the guest doesn't have X86_FEATURE_LM, KVM will
access 16 gprs to 32-bit smram image, causing out-ouf-bound ram
access.

On 32 bit host, the rsm_load_state_64/enter_smm_save_state_64
is compiled out, thus access overflow can't happen.

Fixes: b443183a ("KVM: x86: Reduce the number of emulator GPRs to '8' for 32-bit KVM")

Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20221025124741.228045-15-mlevitsk@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

parent ad8f9e69

arch/x86/kvm/emulate.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -2461,7 +2461,7 @@ static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt,
		ctxt->eflags = GET_SMSTATE(u32, smstate, 0x7ff4) \| X86_EFLAGS_FIXED;
		ctxt->_eip = GET_SMSTATE(u32, smstate, 0x7ff0);

		for (i = 0; i < NR_EMULATOR_GPRS; i++)
		for (i = 0; i < 8; i++)
		reg_write(ctxt, i) = GET_SMSTATE(u32, smstate, 0x7fd0 + i 4);

		val = GET_SMSTATE(u32, smstate, 0x7fcc);
		@@ -2518,7 +2518,7 @@ static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt,
		u16 selector;
		int i, r;

		for (i = 0; i < NR_EMULATOR_GPRS; i++)
		for (i = 0; i < 16; i++)
		reg_write(ctxt, i) = GET_SMSTATE(u64, smstate, 0x7ff8 - i 8);

		ctxt->_eip = GET_SMSTATE(u64, smstate, 0x7f78);