[patch 29/71] KVM: x86: verify MTRR/PAT validity

From: Greg KH
Date: Fri Sep 04 2009 - 20:27:06 EST

Next message: Greg KH: "[patch 52/71] vfs: add __destroy_inode"
Previous message: Greg KH: "[patch 53/71] xfs: fix freeing of inodes not yet added to the inode cache"
In reply to: Greg KH: "[patch 53/71] xfs: fix freeing of inodes not yet added to the inode cache"
Next in thread: Greg KH: "[patch 52/71] vfs: add __destroy_inode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.30-stable review patch. If anyone has any objections, please let us know.

------------------
From: Marcelo Tosatti <mtosatti@xxxxxxxxxx>

(cherry picked from commit d6289b9365c3f622a8cfe62c4fb054bb70b5061a)

Do not allow invalid memory types in MTRR/PAT (generating a #GP
otherwise).

Signed-off-by: Marcelo Tosatti <mtosatti@xxxxxxxxxx>
Signed-off-by: Avi Kivity <avi@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
arch/x86/kvm/x86.c | 39 ++++++++++++++++++++++++++++++++++++++-
1 file changed, 38 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -706,11 +706,48 @@ static bool msr_mtrr_valid(unsigned msr)
return false;
}

+static bool valid_pat_type(unsigned t)
+{
+ return t < 8 && (1 << t) & 0xf3; /* 0, 1, 4, 5, 6, 7 */
+}
+
+static bool valid_mtrr_type(unsigned t)
+{
+ return t < 8 && (1 << t) & 0x73; /* 0, 1, 4, 5, 6 */
+}
+
+static bool mtrr_valid(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+{
+ int i;
+
+ if (!msr_mtrr_valid(msr))
+ return false;
+
+ if (msr == MSR_IA32_CR_PAT) {
+ for (i = 0; i < 8; i++)
+ if (!valid_pat_type((data >> (i * 8)) & 0xff))
+ return false;
+ return true;
+ } else if (msr == MSR_MTRRdefType) {
+ if (data & ~0xcff)
+ return false;
+ return valid_mtrr_type(data & 0xff);
+ } else if (msr >= MSR_MTRRfix64K_00000 && msr <= MSR_MTRRfix4K_F8000) {
+ for (i = 0; i < 8 ; i++)
+ if (!valid_mtrr_type((data >> (i * 8)) & 0xff))
+ return false;
+ return true;
+ }
+
+ /* variable MTRRs */
+ return valid_mtrr_type(data & 0xff);
+}
+
static int set_msr_mtrr(struct kvm_vcpu *vcpu, u32 msr, u64 data)
{
u64 *p = (u64 *)&vcpu->arch.mtrr_state.fixed_ranges;

- if (!msr_mtrr_valid(msr))
+ if (!mtrr_valid(vcpu, msr, data))
return 1;

if (msr == MSR_MTRRdefType) {

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[patch 52/71] vfs: add __destroy_inode"
Previous message: Greg KH: "[patch 53/71] xfs: fix freeing of inodes not yet added to the inode cache"
In reply to: Greg KH: "[patch 53/71] xfs: fix freeing of inodes not yet added to the inode cache"
Next in thread: Greg KH: "[patch 52/71] vfs: add __destroy_inode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]