diff options
| author | Jim Mattson <jmattson@google.com> | 2016-10-26 08:38:38 -0700 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2016-10-27 12:15:27 +0200 |
| commit | 85c856b39b479dde410ddd09df1da745343010c9 (patch) | |
| tree | 54e99503fc7d4abc2d6b573099566428c864c0d0 /arch/x86 | |
| parent | 58e3948a87e39289aeda5753e9712092c8ca0745 (diff) | |
| download | linux-85c856b39b479dde410ddd09df1da745343010c9.tar.gz linux-85c856b39b479dde410ddd09df1da745343010c9.tar.xz | |
kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types
Bitwise shifts by amounts greater than or equal to the width of the left
operand are undefined. A malicious guest can exploit this to crash a
32-bit host, due to the BUG_ON(1)'s in handle_{invept,invvpid}.
Signed-off-by: Jim Mattson <jmattson@google.com>
Message-Id: <1477496318-17681-1-git-send-email-jmattson@google.com>
[Change 1UL to 1, to match the range check on the shift count. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'arch/x86')
| -rw-r--r-- | arch/x86/kvm/vmx.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index cf1b16dbc98a..74a4df993a51 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -7659,7 +7659,7 @@ static int handle_invept(struct kvm_vcpu *vcpu) types = (vmx->nested.nested_vmx_ept_caps >> VMX_EPT_EXTENT_SHIFT) & 6; - if (!(types & (1UL << type))) { + if (type >= 32 || !(types & (1 << type))) { nested_vmx_failValid(vcpu, VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID); skip_emulated_instruction(vcpu); @@ -7722,7 +7722,7 @@ static int handle_invvpid(struct kvm_vcpu *vcpu) types = (vmx->nested.nested_vmx_vpid_caps >> 8) & 0x7; - if (!(types & (1UL << type))) { + if (type >= 32 || !(types & (1 << type))) { nested_vmx_failValid(vcpu, VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID); skip_emulated_instruction(vcpu); |