]>
Commit | Line | Data |
---|---|---|
73c23b9b FG |
1 | Subject: [PATCH] kvm: fix page struct leak in handle_vmon |
2 | From: Paolo Bonzini <pbonzini () redhat ! com> | |
3 | Date: 2017-01-24 10:56:21 | |
4 | ||
5 | handle_vmon gets a reference on VMXON region page, | |
6 | but does not release it. Release the reference. | |
7 | ||
8 | Found by syzkaller; based on a patch by Dmitry. | |
9 | ||
10 | Reported-by: Dmitry Vyukov <dvyukov@google.com> | |
11 | Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> | |
12 | Reviewed-by: David Hildenbrand <david@redhat.com> | |
13 | Backported-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
14 | --- | |
15 | arch/x86/kvm/vmx.c | 9 +++++++-- | |
16 | 1 file changed, 7 insertions(+), 2 deletions(-) | |
17 | ||
18 | diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c | |
19 | index 42cc3d6f4d20..0f7345035210 100644 | |
20 | --- a/arch/x86/kvm/vmx.c | |
21 | +++ b/arch/x86/kvm/vmx.c | |
22 | @@ -6676,14 +6676,20 @@ static int nested_vmx_check_vmptr(struct kvm_vcpu *vcpu, int exit_reason, | |
23 | } | |
24 | ||
25 | page = nested_get_page(vcpu, vmptr); | |
26 | - if (page == NULL || | |
27 | - *(u32 *)kmap(page) != VMCS12_REVISION) { | |
28 | + if (page == NULL) { | |
29 | nested_vmx_failInvalid(vcpu); | |
30 | + skip_emulated_instruction(vcpu); | |
31 | + return 1; | |
32 | + } | |
33 | + if (*(u32 *)kmap(page) != VMCS12_REVISION) { | |
34 | kunmap(page); | |
35 | + nested_release_page_clean(page); | |
36 | + nested_vmx_failInvalid(vcpu); | |
37 | skip_emulated_instruction(vcpu); | |
38 | return 1; | |
39 | } | |
40 | kunmap(page); | |
41 | + nested_release_page_clean(page); | |
42 | vmx->nested.vmxon_ptr = vmptr; | |
43 | break; | |
44 | case EXIT_REASON_VMCLEAR: | |
45 | -- | |
46 | 1.8.3.1 |