diff options
| author | Tianyu Lan <Tianyu.Lan@microsoft.com> | 2019-09-02 20:41:43 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-09-21 07:15:44 +0200 |
| commit | 8b13085943111ade6ac9908168cf05e4229c1506 (patch) | |
| tree | f869ec3c7b6a9447fff21f6625af841bbaf63c4e /security | |
| parent | 771c5c0955f14fc9bdf9f27ad4a25f8632f4a54e (diff) | |
x86/hyper-v: Fix overflow bug in fill_gva_list()
[ Upstream commit 4030b4c585c41eeefec7bd20ce3d0e100a0f2e4d ]
When the 'start' parameter is >= 0xFF000000 on 32-bit
systems, or >= 0xFFFFFFFF'FF000000 on 64-bit systems,
fill_gva_list() gets into an infinite loop.
With such inputs, 'cur' overflows after adding HV_TLB_FLUSH_UNIT
and always compares as less than end. Memory is filled with
guest virtual addresses until the system crashes.
Fix this by never incrementing 'cur' to be larger than 'end'.
Reported-by: Jong Hyun Park <park.jonghyun@yonsei.ac.kr>
Signed-off-by: Tianyu Lan <Tianyu.Lan@microsoft.com>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 2ffd9e33ce4a ("x86/hyper-v: Use hypercall for remote TLB flush")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions