[RFC] kvm - possible out of bounds

2015-11-29 Thread Geyslan Gregório Bem
Hello, I have found a possible out of bounds reading in arch/powerpc/kvm/book3s_64_mmu.c (kvmppc_mmu_book3s_64_xlate function). pteg[] array could be accessed twice using the i variable after the for iteration. What happens is that in the last iteration the i index is incremented to 16, checked

Re: [RFC] kvm - possible out of bounds

2015-11-29 Thread Paul Mackerras
On Sun, Nov 29, 2015 at 05:14:03PM -0300, Geyslan Gregório Bem wrote: > Hello, > > I have found a possible out of bounds reading in > arch/powerpc/kvm/book3s_64_mmu.c (kvmppc_mmu_book3s_64_xlate > function). pteg[] array could be accessed twice using the i variable > after the for iteration. What

Re: [RFC] kvm - possible out of bounds

2015-11-29 Thread Geyslan Gregório Bem
2015-11-29 18:33 GMT-03:00 Paul Mackerras : > On Sun, Nov 29, 2015 at 05:14:03PM -0300, Geyslan Gregório Bem wrote: >> Hello, >> >> I have found a possible out of bounds reading in >> arch/powerpc/kvm/book3s_64_mmu.c (kvmppc_mmu_book3s_64_xlate >> function). pteg[] array could

Re: [PATCH kernel 5/9] KVM: PPC: Account TCE-containing pages in locked_vm

2015-11-29 Thread Paul Mackerras
On Tue, Sep 15, 2015 at 08:49:35PM +1000, Alexey Kardashevskiy wrote: > At the moment pages used for TCE tables (in addition to pages addressed > by TCEs) are not counted in locked_vm counter so a malicious userspace > tool can call ioctl(KVM_CREATE_SPAPR_TCE) as many times as RLIMIT_NOFILE and >

Re: [PATCH kernel 5/9] KVM: PPC: Account TCE-containing pages in locked_vm

2015-11-29 Thread Alexey Kardashevskiy
On 11/30/2015 01:06 PM, Paul Mackerras wrote: On Tue, Sep 15, 2015 at 08:49:35PM +1000, Alexey Kardashevskiy wrote: At the moment pages used for TCE tables (in addition to pages addressed by TCEs) are not counted in locked_vm counter so a malicious userspace tool can call