diff options
author | Paolo Bonzini <pbonzini@redhat.com> | 2019-12-04 10:28:54 +0100 |
---|---|---|
committer | Haitao Shan <hshan@google.com> | 2024-04-01 18:44:26 -0700 |
commit | 4343762dc54a8e7fbe04a01db8172da09f3a68e0 (patch) | |
tree | 57c22f22fc5075f7445d7bbbbd8dc28a8455deea /arch/x86 | |
parent | 4219ee46cd4e7f247e5ff91267dcd636779b316a (diff) | |
download | aehd-4343762dc54a8e7fbe04a01db8172da09f3a68e0.tar.gz |
KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
The bounds check was present in KVM_GET_SUPPORTED_CPUID but not
KVM_GET_EMULATED_CPUID.
Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com
Fixes: 84cffe499b94 ("kvm: Emulate MOVBE", 2013-10-29)
Change-Id: Iee8ef8a079bcbff2d165f8c0d543daf3286e5d6a
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'arch/x86')
-rwxr-xr-x | arch/x86/kvm/cpuid.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index 2f21371..062c21c 100755 --- a/arch/x86/kvm/cpuid.c +++ b/arch/x86/kvm/cpuid.c @@ -571,6 +571,9 @@ out: static int do_cpuid_ent(struct kvm_cpuid_entry *entry, u32 func, u32 idx, int *nent, int maxnent, unsigned int type) { + if (*nent >= maxnent) + return -E2BIG; + if (type == AEHD_GET_EMULATED_CPUID) return __do_cpuid_ent_emulated(entry, func, idx, nent, maxnent); |