tmakin/ack-tegra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ANDROID: KVM: arm64: mem range overflow checks for pKVM mem_protect

Browse Source 
If we have not identified any exploit (all the ranges are verified and
limited later), check for overflow when going from a number of pages to
a size as early as possible. Belt and braces.

Bug: 357781595
Change-Id: I8ac7ccf2449ffd96e56c775807cb03f2ed16254b
Signed-off-by: Vincent Donnefort <vdonnefort@google.com>
This commit is contained in:
Vincent Donnefort
2025-01-28 14:12:01 +00:00
parent 9bab050913
commit dc0a3182a9
1 changed files with 48 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
arch/arm64/kvm/hyp/nvhe/mem_protect.c
+48 -18
View File
@@ -1299,7 +1299,11 @@ int __pkvm_guest_share_host(struct pkvm_hyp_vcpu *vcpu, u64 ipa, u64 nr_pages,
goto unlock;
phys = kvm_pte_to_phys(pte);
size = nr_pages << PAGE_SHIFT;
if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size)) {
ret = -EINVAL;
goto unlock;
}
ret = __host_check_page_state_range(phys, size, PKVM_NOPAGE);
if (ret)
goto unlock;
@@ -1333,7 +1337,11 @@ int __pkvm_guest_unshare_host(struct pkvm_hyp_vcpu *vcpu, u64 ipa, u64 nr_pages,
goto unlock;
phys = kvm_pte_to_phys(pte);
size = nr_pages << PAGE_SHIFT;
if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size)) {
ret = -EINVAL;
goto unlock;
}
ret = __host_check_page_state_range(phys, size, PKVM_PAGE_SHARED_BORROWED);
if (ret)
goto unlock;
@@ -1381,11 +1389,13 @@ int ___pkvm_host_donate_hyp(u64 pfn, u64 nr_pages, bool accept_mmio)
int __pkvm_host_donate_hyp_locked(u64 pfn, u64 nr_pages, enum kvm_pgtable_prot prot)
{
u64 phys = hyp_pfn_to_phys(pfn);
u64 size = nr_pages * PAGE_SIZE;
u64 size, phys = hyp_pfn_to_phys(pfn);
void *virt = __hyp_va(phys);
int ret;
if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size))
return -EINVAL;
hyp_lock_component();
ret = __host_check_page_state_range(phys, size, PKVM_PAGE_OWNED);
@@ -1409,11 +1419,13 @@ unlock:
int __pkvm_hyp_donate_host(u64 pfn, u64 nr_pages)
{
u64 phys = hyp_pfn_to_phys(pfn);
u64 size = PAGE_SIZE * nr_pages;
u64 size, phys = hyp_pfn_to_phys(pfn);
u64 virt = (u64)__hyp_va(phys);
int ret;
if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size))
return -EINVAL;
host_lock_component();
hyp_lock_component();
@@ -1444,8 +1456,7 @@ unlock:
int module_change_host_page_prot(u64 pfn, enum kvm_pgtable_prot prot, u64 nr_pages,
bool update_iommu)
{
u64 i, addr = hyp_pfn_to_phys(pfn);
u64 end = addr + nr_pages * PAGE_SIZE;
u64 i, end, addr = hyp_pfn_to_phys(pfn);
struct hyp_page *page = NULL;
struct kvm_mem_range range;
struct memblock_region *reg;
@@ -1454,6 +1465,10 @@ int module_change_host_page_prot(u64 pfn, enum kvm_pgtable_prot prot, u64 nr_pag
if ((prot & MODULE_PROT_ALLOWLIST) != prot)
return -EINVAL;
if (check_shl_overflow(nr_pages, PAGE_SHIFT, &end) ||
check_add_overflow(addr, end, &end))
return -EINVAL;
reg = find_mem_range(addr, &range);
if (end > range.end) {
/* Specified range not in a single mmio or memory block. */
@@ -1521,13 +1536,15 @@ unlock:
int __pkvm_host_lazy_pte(u64 pfn, u64 nr_pages, bool enable)
{
u64 size = nr_pages << PAGE_SHIFT;
u64 addr = hyp_pfn_to_phys(pfn);
u64 end = addr + size;
u64 size, end, addr = hyp_pfn_to_phys(pfn);
struct memblock_region *reg;
struct kvm_mem_range range;
int ret;
if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size) ||
check_add_overflow(addr, size, &end))
return -EINVAL;
/* Reject MMIO regions */
reg = find_mem_range(addr, &range);
if (!reg || !is_in_mem_range(end - 1, &range))
@@ -1599,10 +1616,12 @@ void hyp_unpin_shared_mem(void *from, void *to)
int __pkvm_host_share_ffa(u64 pfn, u64 nr_pages)
{
u64 phys = hyp_pfn_to_phys(pfn);
u64 size = PAGE_SIZE * nr_pages;
u64 size, phys = hyp_pfn_to_phys(pfn);
int ret;
if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size))
return -EINVAL;
host_lock_component();
ret = __host_check_page_state_range(phys, size, PKVM_PAGE_OWNED);
@@ -1616,10 +1635,12 @@ int __pkvm_host_share_ffa(u64 pfn, u64 nr_pages)
int __pkvm_host_unshare_ffa(u64 pfn, u64 nr_pages)
{
u64 phys = hyp_pfn_to_phys(pfn);
u64 size = PAGE_SIZE * nr_pages;
u64 size, phys = hyp_pfn_to_phys(pfn);
int ret;
if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size))
return -EINVAL;
host_lock_component();
ret = __host_check_page_state_range(phys, size, PKVM_PAGE_SHARED_OWNED);
@@ -1712,14 +1733,17 @@ int __pkvm_host_share_guest(struct pkvm_hyp_vcpu *vcpu, u64 pfn, u64 gfn,
u64 nr_pages, enum kvm_pgtable_prot prot)
{
struct pkvm_hyp_vm *vm = pkvm_hyp_vcpu_to_hyp_vm(vcpu);
size_t size = nr_pages * PAGE_SIZE;
u64 phys = hyp_pfn_to_phys(pfn);
u64 ipa = hyp_pfn_to_phys(gfn);
size_t size;
int ret;
if (prot & ~KVM_PGTABLE_PROT_RWX)
return -EINVAL;
if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size))
return -EINVAL;
host_lock_component();
guest_lock_component(vm);
@@ -1890,12 +1914,15 @@ int __pkvm_host_donate_guest(struct pkvm_hyp_vcpu *vcpu, u64 pfn, u64 gfn,
u64 nr_pages)
{
struct pkvm_hyp_vm *vm = pkvm_hyp_vcpu_to_hyp_vm(vcpu);
size_t size = nr_pages * PAGE_SIZE;
u64 phys = hyp_pfn_to_phys(pfn);
u64 ipa = hyp_pfn_to_phys(gfn);
enum kvm_pgtable_prot prot;
size_t size;
int ret;
if (check_mul_overflow(nr_pages, PAGE_SIZE, &size))
return -EINVAL;
host_lock_component();
guest_lock_component(vm);
@@ -1957,10 +1984,13 @@ void drain_hyp_pool(struct pkvm_hyp_vm *vm, struct kvm_hyp_memcache *mc)
int __pkvm_host_reclaim_page(struct pkvm_hyp_vm *vm, u64 pfn, u64 ipa, u8 order)
{
phys_addr_t __phys, phys = hyp_pfn_to_phys(pfn);
size_t page_size = PAGE_SIZE << order;
size_t page_size;
kvm_pte_t pte;
int ret = 0;
if (check_shl_overflow(PAGE_SIZE, order, &page_size))
return -EINVAL;
host_lock_component();
guest_lock_component(vm);