In the Linux kernel, the following vulnerability has been resolved: KVM:
x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect()
KASAN reports the following issue: BUG: KASAN: stack-out-of-bounds in
kvm_make_vcpus_request_mask+0x174/0x440 [kvm] Read of size 8 at addr
ffffc9001364f638 by task qemu-kvm/4798 CPU: 0 PID: 4798 Comm: qemu-kvm
Tainted: G X --------- — Hardware name: AMD Corporation
DAYTONA_X/DAYTONA_X, BIOS RYM0081C 07/13/2020 Call Trace:
dump_stack+0xa5/0xe6 print_address_description.constprop.0+0x18/0x130 ?
kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
__kasan_report.cold+0x7f/0x114 ? kvm_make_vcpus_request_mask+0x174/0x440
[kvm] kasan_report+0x38/0x50 kasan_check_range+0xf5/0x1d0
kvm_make_vcpus_request_mask+0x174/0x440 [kvm]
kvm_make_scan_ioapic_request_mask+0x84/0xc0 [kvm] ?
kvm_arch_exit+0x110/0x110 [kvm] ? sched_clock+0x5/0x10
ioapic_write_indirect+0x59f/0x9e0 [kvm] ? static_obj+0xc0/0xc0 ?
__lock_acquired+0x1d2/0x8c0 ? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm]
The problem appears to be that ‘vcpu_bitmap’ is allocated as a single long
on stack and it should really be KVM_MAX_VCPUS long. We also seem to clear
the lower 16 bits of it with bitmap_zero() for no particular reason (my
guess would be that ‘bitmap’ and ‘vcpu_bitmap’ variables in
kvm_bitmap_or_dest_vcpus() caused the confusion: while the later is indeed
16-bit long, the later should accommodate all possible vCPUs).
git.kernel.org/linus/2f9b68f57c6278c322793a06063181deded0ad69 (5.15-rc4)
git.kernel.org/stable/c/2f9b68f57c6278c322793a06063181deded0ad69
git.kernel.org/stable/c/99a9e9b80f19fc63be005a33d76211dd23114792
git.kernel.org/stable/c/bebabb76ad9acca8858e0371e102fb60d708e25b
launchpad.net/bugs/cve/CVE-2021-47390
nvd.nist.gov/vuln/detail/CVE-2021-47390
security-tracker.debian.org/tracker/CVE-2021-47390
www.cve.org/CVERecord?id=CVE-2021-47390