On 25/03/19 19:47, David Rientjes wrote: > This ensures that the address and length provided to DBG_DECRYPT and > DBG_ENCRYPT do not cause an overflow. > > At the same time, pass the actual number of pages pinned in memory to > sev_unpin_memory() as a cleanup. > > Reported-by: Cfir Cohen <c...@google.com> > Signed-off-by: David Rientjes <rient...@google.com> > --- > arch/x86/kvm/svm.c | 12 +++++++++--- > 1 file changed, 9 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c > --- a/arch/x86/kvm/svm.c > +++ b/arch/x86/kvm/svm.c > @@ -6799,7 +6799,8 @@ static int sev_dbg_crypt(struct kvm *kvm, struct > kvm_sev_cmd *argp, bool dec) > struct page **src_p, **dst_p; > struct kvm_sev_dbg debug; > unsigned long n; > - int ret, size; > + unsigned int size; > + int ret; > > if (!sev_guest(kvm)) > return -ENOTTY; > @@ -6807,6 +6808,11 @@ static int sev_dbg_crypt(struct kvm *kvm, struct > kvm_sev_cmd *argp, bool dec) > if (copy_from_user(&debug, (void __user *)(uintptr_t)argp->data, > sizeof(debug))) > return -EFAULT; > > + if (!debug.len || debug.src_uaddr + debug.len < debug.src_uaddr) > + return -EINVAL; > + if (!debug.dst_uaddr) > + return -EINVAL; > + > vaddr = debug.src_uaddr; > size = debug.len; > vaddr_end = vaddr + size; > @@ -6857,8 +6863,8 @@ static int sev_dbg_crypt(struct kvm *kvm, struct > kvm_sev_cmd *argp, bool dec) > dst_vaddr, > len, &argp->error); > > - sev_unpin_memory(kvm, src_p, 1); > - sev_unpin_memory(kvm, dst_p, 1); > + sev_unpin_memory(kvm, src_p, n); > + sev_unpin_memory(kvm, dst_p, n); > > if (ret) > goto err; >
Queued, thanks. Paolo
