kvm: nVMX: Fix kernel panics induced by illegal INVEPT/INVVPID types Bitwise shifts by amounts greater than or equal to the width of the left operand are undefined. A malicious guest can exploit this to crash a 32-bit host, due to the BUG_ON(1)'s in handle_{invept,invvpid}. Signed-off-by: Jim Mattson <jmattson@google.com> Message-Id: <1477496318-17681-1-git-send-email-jmattson@google.com> [Change 1UL to 1, to match the range check on the shift count. - Paolo] Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

commit: 85c856b39b479dde410ddd09df1da745343010c9 [log] [tgz]
author: Jim Mattson <jmattson@google.com> Wed Oct 26 08:38:38 2016 -0700
committer: Paolo Bonzini <pbonzini@redhat.com> Thu Oct 27 12:15:27 2016 +0200
tree: 54e99503fc7d4abc2d6b573099566428c864c0d0
parent: 58e3948a87e39289aeda5753e9712092c8ca0745 [diff] [blame]
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index cf1b16d..74a4df9 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c

@@ -7659,7 +7659,7 @@
 
 	types = (vmx->nested.nested_vmx_ept_caps >> VMX_EPT_EXTENT_SHIFT) & 6;
 
-	if (!(types & (1UL << type))) {
+	if (type >= 32 || !(types & (1 << type))) {
 		nested_vmx_failValid(vcpu,
 				VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
 		skip_emulated_instruction(vcpu);
@@ -7722,7 +7722,7 @@
 
 	types = (vmx->nested.nested_vmx_vpid_caps >> 8) & 0x7;
 
-	if (!(types & (1UL << type))) {
+	if (type >= 32 || !(types & (1 << type))) {
 		nested_vmx_failValid(vcpu,
 			VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
 		skip_emulated_instruction(vcpu);
commit	85c856b39b479dde410ddd09df1da745343010c9	[log] [tgz]
author	Jim Mattson <jmattson@google.com>	Wed Oct 26 08:38:38 2016 -0700
committer	Paolo Bonzini <pbonzini@redhat.com>	Thu Oct 27 12:15:27 2016 +0200
tree	54e99503fc7d4abc2d6b573099566428c864c0d0
parent	58e3948a87e39289aeda5753e9712092c8ca0745 [diff] [blame]