From dc0a3182a9a6dfa15d667c8a8909e9230229a8e0 Mon Sep 17 00:00:00 2001 From: Vincent Donnefort Date: Tue, 28 Jan 2025 14:12:01 +0000 Subject: [PATCH] ANDROID: KVM: arm64: mem range overflow checks for pKVM mem_protect If we have not identified any exploit (all the ranges are verified and limited later), check for overflow when going from a number of pages to a size as early as possible. Belt and braces. Bug: 357781595 Change-Id: I8ac7ccf2449ffd96e56c775807cb03f2ed16254b Signed-off-by: Vincent Donnefort --- arch/arm64/kvm/hyp/nvhe/mem_protect.c | 66 +++++++++++++++++++-------- 1 file changed, 48 insertions(+), 18 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvhe/mem_protect.c index b375c70bbb84..ad761cad44ee 100644 --- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c +++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c @@ -1299,7 +1299,11 @@ int __pkvm_guest_share_host(struct pkvm_hyp_vcpu *vcpu, u64 ipa, u64 nr_pages, goto unlock; phys = kvm_pte_to_phys(pte); - size = nr_pages << PAGE_SHIFT; + if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size)) { + ret = -EINVAL; + goto unlock; + } + ret = __host_check_page_state_range(phys, size, PKVM_NOPAGE); if (ret) goto unlock; @@ -1333,7 +1337,11 @@ int __pkvm_guest_unshare_host(struct pkvm_hyp_vcpu *vcpu, u64 ipa, u64 nr_pages, goto unlock; phys = kvm_pte_to_phys(pte); - size = nr_pages << PAGE_SHIFT; + if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size)) { + ret = -EINVAL; + goto unlock; + } + ret = __host_check_page_state_range(phys, size, PKVM_PAGE_SHARED_BORROWED); if (ret) goto unlock; @@ -1381,11 +1389,13 @@ int ___pkvm_host_donate_hyp(u64 pfn, u64 nr_pages, bool accept_mmio) int __pkvm_host_donate_hyp_locked(u64 pfn, u64 nr_pages, enum kvm_pgtable_prot prot) { - u64 phys = hyp_pfn_to_phys(pfn); - u64 size = nr_pages * PAGE_SIZE; + u64 size, phys = hyp_pfn_to_phys(pfn); void *virt = __hyp_va(phys); int ret; + if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size)) + return -EINVAL; + hyp_lock_component(); ret = __host_check_page_state_range(phys, size, PKVM_PAGE_OWNED); @@ -1409,11 +1419,13 @@ unlock: int __pkvm_hyp_donate_host(u64 pfn, u64 nr_pages) { - u64 phys = hyp_pfn_to_phys(pfn); - u64 size = PAGE_SIZE * nr_pages; + u64 size, phys = hyp_pfn_to_phys(pfn); u64 virt = (u64)__hyp_va(phys); int ret; + if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size)) + return -EINVAL; + host_lock_component(); hyp_lock_component(); @@ -1444,8 +1456,7 @@ unlock: int module_change_host_page_prot(u64 pfn, enum kvm_pgtable_prot prot, u64 nr_pages, bool update_iommu) { - u64 i, addr = hyp_pfn_to_phys(pfn); - u64 end = addr + nr_pages * PAGE_SIZE; + u64 i, end, addr = hyp_pfn_to_phys(pfn); struct hyp_page *page = NULL; struct kvm_mem_range range; struct memblock_region *reg; @@ -1454,6 +1465,10 @@ int module_change_host_page_prot(u64 pfn, enum kvm_pgtable_prot prot, u64 nr_pag if ((prot & MODULE_PROT_ALLOWLIST) != prot) return -EINVAL; + if (check_shl_overflow(nr_pages, PAGE_SHIFT, &end) || + check_add_overflow(addr, end, &end)) + return -EINVAL; + reg = find_mem_range(addr, &range); if (end > range.end) { /* Specified range not in a single mmio or memory block. */ @@ -1521,13 +1536,15 @@ unlock: int __pkvm_host_lazy_pte(u64 pfn, u64 nr_pages, bool enable) { - u64 size = nr_pages << PAGE_SHIFT; - u64 addr = hyp_pfn_to_phys(pfn); - u64 end = addr + size; + u64 size, end, addr = hyp_pfn_to_phys(pfn); struct memblock_region *reg; struct kvm_mem_range range; int ret; + if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size) || + check_add_overflow(addr, size, &end)) + return -EINVAL; + /* Reject MMIO regions */ reg = find_mem_range(addr, &range); if (!reg || !is_in_mem_range(end - 1, &range)) @@ -1599,10 +1616,12 @@ void hyp_unpin_shared_mem(void *from, void *to) int __pkvm_host_share_ffa(u64 pfn, u64 nr_pages) { - u64 phys = hyp_pfn_to_phys(pfn); - u64 size = PAGE_SIZE * nr_pages; + u64 size, phys = hyp_pfn_to_phys(pfn); int ret; + if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size)) + return -EINVAL; + host_lock_component(); ret = __host_check_page_state_range(phys, size, PKVM_PAGE_OWNED); @@ -1616,10 +1635,12 @@ int __pkvm_host_share_ffa(u64 pfn, u64 nr_pages) int __pkvm_host_unshare_ffa(u64 pfn, u64 nr_pages) { - u64 phys = hyp_pfn_to_phys(pfn); - u64 size = PAGE_SIZE * nr_pages; + u64 size, phys = hyp_pfn_to_phys(pfn); int ret; + if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size)) + return -EINVAL; + host_lock_component(); ret = __host_check_page_state_range(phys, size, PKVM_PAGE_SHARED_OWNED); @@ -1712,14 +1733,17 @@ int __pkvm_host_share_guest(struct pkvm_hyp_vcpu *vcpu, u64 pfn, u64 gfn, u64 nr_pages, enum kvm_pgtable_prot prot) { struct pkvm_hyp_vm *vm = pkvm_hyp_vcpu_to_hyp_vm(vcpu); - size_t size = nr_pages * PAGE_SIZE; u64 phys = hyp_pfn_to_phys(pfn); u64 ipa = hyp_pfn_to_phys(gfn); + size_t size; int ret; if (prot & ~KVM_PGTABLE_PROT_RWX) return -EINVAL; + if (check_shl_overflow(nr_pages, PAGE_SHIFT, &size)) + return -EINVAL; + host_lock_component(); guest_lock_component(vm); @@ -1890,12 +1914,15 @@ int __pkvm_host_donate_guest(struct pkvm_hyp_vcpu *vcpu, u64 pfn, u64 gfn, u64 nr_pages) { struct pkvm_hyp_vm *vm = pkvm_hyp_vcpu_to_hyp_vm(vcpu); - size_t size = nr_pages * PAGE_SIZE; u64 phys = hyp_pfn_to_phys(pfn); u64 ipa = hyp_pfn_to_phys(gfn); enum kvm_pgtable_prot prot; + size_t size; int ret; + if (check_mul_overflow(nr_pages, PAGE_SIZE, &size)) + return -EINVAL; + host_lock_component(); guest_lock_component(vm); @@ -1957,10 +1984,13 @@ void drain_hyp_pool(struct pkvm_hyp_vm *vm, struct kvm_hyp_memcache *mc) int __pkvm_host_reclaim_page(struct pkvm_hyp_vm *vm, u64 pfn, u64 ipa, u8 order) { phys_addr_t __phys, phys = hyp_pfn_to_phys(pfn); - size_t page_size = PAGE_SIZE << order; + size_t page_size; kvm_pte_t pte; int ret = 0; + if (check_shl_overflow(PAGE_SIZE, order, &page_size)) + return -EINVAL; + host_lock_component(); guest_lock_component(vm);