diff options
author | Max Krummenacher <max.krummenacher@toradex.com> | 2021-10-16 13:04:24 +0200 |
---|---|---|
committer | Max Krummenacher <max.krummenacher@toradex.com> | 2021-10-16 13:04:24 +0200 |
commit | f8e718054f4421d11638e370b933ccc6c77466ed (patch) | |
tree | 973ff8cb8aed7d8e4da6a194456ddc01c206b7de /arch/powerpc/kvm/book3s_rtas.c | |
parent | d900385139e5aa8d584dee92c87bb85d0226253e (diff) | |
parent | 1392fe82d7fba00ba4a8e01968935f2b2085d5a4 (diff) |
Merge tag 'v4.4.288' into toradex_vf_4.4
This is the 4.4.288 stable release
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Diffstat (limited to 'arch/powerpc/kvm/book3s_rtas.c')
-rw-r--r-- | arch/powerpc/kvm/book3s_rtas.c | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/arch/powerpc/kvm/book3s_rtas.c b/arch/powerpc/kvm/book3s_rtas.c index b1b2273d1f6d..308744830f55 100644 --- a/arch/powerpc/kvm/book3s_rtas.c +++ b/arch/powerpc/kvm/book3s_rtas.c @@ -230,6 +230,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) * value so we can restore it on the way out. */ orig_rets = args.rets; + if (be32_to_cpu(args.nargs) >= ARRAY_SIZE(args.args)) { + /* + * Don't overflow our args array: ensure there is room for + * at least rets[0] (even if the call specifies 0 nret). + * + * Each handler must then check for the correct nargs and nret + * values, but they may always return failure in rets[0]. + */ + rc = -EINVAL; + goto fail; + } args.rets = &args.args[be32_to_cpu(args.nargs)]; mutex_lock(&vcpu->kvm->arch.rtas_token_lock); @@ -257,9 +268,17 @@ int kvmppc_rtas_hcall(struct kvm_vcpu *vcpu) fail: /* * We only get here if the guest has called RTAS with a bogus - * args pointer. That means we can't get to the args, and so we - * can't fail the RTAS call. So fail right out to userspace, - * which should kill the guest. + * args pointer or nargs/nret values that would overflow the + * array. That means we can't get to the args, and so we can't + * fail the RTAS call. So fail right out to userspace, which + * should kill the guest. + * + * SLOF should actually pass the hcall return value from the + * rtas handler call in r3, so enter_rtas could be modified to + * return a failure indication in r3 and we could return such + * errors to the guest rather than failing to host userspace. + * However old guests that don't test for failure could then + * continue silently after errors, so for now we won't do this. */ return rc; } |