• Marcelo Tosatti's avatar
    KVM: x86: check for cr3 validity in ioctl_set_sregs · 59839dff
    Marcelo Tosatti authored
    Matt T. Yourst notes that kvm_arch_vcpu_ioctl_set_sregs lacks validity
    checking for the new cr3 value:
    
    "Userspace callers of KVM_SET_SREGS can pass a bogus value of cr3 to
    the kernel. This will trigger a NULL pointer access in gfn_to_rmap()
    when userspace next tries to call KVM_RUN on the affected VCPU and kvm
    attempts to activate the new non-existent page table root.
    
    This happens since kvm only validates that cr3 points to a valid guest
    physical memory page when code *inside* the guest sets cr3. However, kvm
    currently trusts the userspace caller (e.g. QEMU) on the host machine to
    always supply a valid page table root, rather than properly validating
    it along with the rest of the reloaded guest state."
    
    http://sourceforge.net/tracker/?func=detail&atid=893831&aid=2687641&group_id=180599
    
    Check for a valid cr3 address in kvm_arch_vcpu_ioctl_set_sregs, triple
    fault in case of failure.
    
    Cc: stable@kernel.org
    Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
    Signed-off-by: default avatarAvi Kivity <avi@redhat.com>
    59839dff
x86.c 110 KB