]>
Commit | Line | Data |
---|---|---|
73c23b9b FG |
1 | Subject: [PATCH] kvm: fix page struct leak in handle_vmon |
2 | From: Paolo Bonzini <pbonzini () redhat ! com> | |
3 | Date: 2017-01-24 10:56:21 | |
4 | ||
5 | handle_vmon gets a reference on VMXON region page, | |
6 | but does not release it. Release the reference. | |
7 | ||
8 | Found by syzkaller; based on a patch by Dmitry. | |
9 | ||
10 | Reported-by: Dmitry Vyukov <dvyukov@google.com> | |
11 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | |
12 | Reviewed-by: David Hildenbrand <david@redhat.com> | |
73c23b9b FG |
13 | --- |
14 | arch/x86/kvm/vmx.c | 9 +++++++-- | |
15 | 1 file changed, 7 insertions(+), 2 deletions(-) | |
16 | ||
17 | diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c | |
18 | index 42cc3d6f4d20..0f7345035210 100644 | |
19 | --- a/arch/x86/kvm/vmx.c | |
20 | +++ b/arch/x86/kvm/vmx.c | |
ca88e9f5 | 21 | @@ -7085,13 +7085,18 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason, |
73c23b9b FG |
22 | } |
23 | ||
24 | page = nested_get_page(vcpu, vmptr); | |
25 | - if (page == NULL || | |
26 | - *(u32 *)kmap(page) != VMCS12_REVISION) { | |
27 | + if (page == NULL) { | |
28 | nested_vmx_failInvalid(vcpu); | |
ca88e9f5 | 29 | + return kvm_skip_emulated_instruction(vcpu); |
73c23b9b FG |
30 | + } |
31 | + if (*(u32 *)kmap(page) != VMCS12_REVISION) { | |
32 | kunmap(page); | |
33 | + nested_release_page_clean(page); | |
34 | + nested_vmx_failInvalid(vcpu); | |
ca88e9f5 | 35 | return kvm_skip_emulated_instruction(vcpu); |
73c23b9b FG |
36 | } |
37 | kunmap(page); | |
38 | + nested_release_page_clean(page); | |
39 | vmx->nested.vmxon_ptr = vmptr; | |
40 | break; | |
41 | case EXIT_REASON_VMCLEAR: |