kvm: using uninitialized var in tdp_page_fault

33 views
Skip to first unread message

Sasha Levin

unread,
Jan 15, 2016, 12:02:28 PM1/15/16
to Paolo Bonzini, Gleb Natapov, LKML, Dmitry Vyukov, syzkaller
Hi all,

While fuzzing with syzkaller on the latest -next kernel running on a KVM tools
guest, I've hit the following use of an uninitialized variable:

[ 810.783676] UBSAN: Undefined behaviour in arch/x86/kvm/mmu.c:3502:6

[ 810.785650] load of value 179 is not a valid value for type '_Bool'

[ 810.787554] CPU: 2 PID: 24676 Comm: syz-executor Tainted: G D 4.4.0-next-20160114-sasha-00021-gf1273d1-dirty #2798

[ 810.790792] 1ffff10018213e84 000000008c6fa2f9 ffff8800c109f4a0 ffffffff83433c4e

[ 810.792954] 0000000041b58ab3 ffffffff8f960c38 ffffffff83433b86 ffff8800c109f468

[ 810.794776] 0000188300000001 000000008c6fa2f9 ffffffff8feb7a20 ffff8800c109f530

[ 810.796001] Call Trace:

[ 810.796840] dump_stack (lib/dump_stack.c:52)
[ 810.798243] ubsan_epilogue (lib/ubsan.c:165)
[ 810.802976] __ubsan_handle_load_invalid_value (lib/ubsan.c:454)
[ 810.806657] tdp_page_fault (arch/x86/kvm/mmu.c:3502)
[ 810.809900] kvm_mmu_page_fault (arch/x86/kvm/mmu.c:4372)
[ 810.810517] handle_ept_violation (arch/x86/kvm/vmx.c:5961)
[ 810.812386] vmx_handle_exit (arch/x86/kvm/vmx.c:8183)
[ 810.817389] vcpu_enter_guest (arch/x86/kvm/x86.c:6677)
[ 810.831863] kvm_arch_vcpu_ioctl_run (arch/x86/kvm/x86.c:6741 arch/x86/kvm/x86.c:6894)
[ 810.834138] kvm_vcpu_ioctl (arch/x86/kvm/../../../virt/kvm/kvm_main.c:2365)
[ 810.840570] do_vfs_ioctl (fs/ioctl.c:44 fs/ioctl.c:674)
[ 810.855017] SyS_ioctl (fs/ioctl.c:689 fs/ioctl.c:680)
[ 810.856134] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:186)

Paolo Bonzini

unread,
Feb 23, 2016, 9:30:59 AM2/23/16
to Sasha Levin, Gleb Natapov, LKML, Dmitry Vyukov, syzkaller


On 15/01/2016 18:02, Sasha Levin wrote:
> Hi all,
>
> While fuzzing with syzkaller on the latest -next kernel running on a KVM tools
> guest, I've hit the following use of an uninitialized variable:
>
> [ 810.783676] UBSAN: Undefined behaviour in arch/x86/kvm/mmu.c:3502:6
>
> [ 810.785650] load of value 179 is not a valid value for type '_Bool'

Can you check this patch:

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index be3cef12706c..fd54613a1204 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -1449,8 +1449,11 @@ pfn_t __gfn_to_pfn_memslot(struct
if (addr == KVM_HVA_ERR_RO_BAD)
return KVM_PFN_ERR_RO_FAULT;

- if (kvm_is_error_hva(addr))
+ if (kvm_is_error_hva(addr)) {
+ if (writable)
+ *writable = false;
return KVM_PFN_NOSLOT;
+ }

/* Do not map writable pfn in the readonly memslot. */
if (writable && memslot_is_readonly(slot)) {

Thanks,

Paolo

Dmitry Vyukov

unread,
Feb 28, 2016, 8:08:34 AM2/28/16
to Paolo Bonzini, Sasha Levin, Gleb Natapov, LKML, syzkaller
Sasha, does it fix the issue? This patch is still not merged.
Reply all
Reply to author
Forward
0 new messages