Skip to content

Commit

Permalink
KVM: nVMX: really fix the size checks on KVM_SET_NESTED_STATE
Browse files Browse the repository at this point in the history 
The offset for reading the shadow VMCS is sizeof(*kvm_state)+VMCS12_SIZE,
so the correct size must be that plus sizeof(*vmcs12).  This could lead
to KVM reading garbage data from userspace and not reporting an error,
but is otherwise not sensitive.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
  • Loading branch information
Paolo Bonzini committed May 24, 2019
1 parent 6bff2a3 commit db80927
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion arch/x86/kvm/vmx/nested.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5427,7 +5427,7 @@ static int vmx_set_nested_state(struct kvm_vcpu *vcpu,
vmcs12->vmcs_link_pointer != -1ull) {
struct vmcs12 *shadow_vmcs12 = get_shadow_vmcs12(vcpu);

if (kvm_state->size < sizeof(*kvm_state) + 2 * sizeof(*vmcs12))
if (kvm_state->size < sizeof(*kvm_state) + VMCS12_SIZE + sizeof(*vmcs12))
return -EINVAL;

if (copy_from_user(shadow_vmcs12,
Expand Down

0 comments on commit db80927

Please sign in to comment.