x86/kvm: restrict kvm user region memory size
syzbot found WARNING in memslot_rmap_alloc[1] when
struct kvm_userspace_memory_region .memory_size is bigger than 0x40000000000,
which is 4GB, e.g. KMALLOC_MAX_SIZE * 100 * PAGE_SIZE.
Here is the PoC to trigger the warning:
struct kvm_userspace_memory_region mem = {
.slot = 0,
.guest_phys_addr = 0,
/* + 0x100 extra to trigger kmalloc WARNING */
.memory_size = 0x40000000000 + 0x100,
.userspace_addr = 0,
};
ioctl(kvm_fd, KVM_SET_USER_MEMORY_REGION, &mem);
I couldn't find any relevant max constant to restrict unsigned long npages.
There might be another solution with chunking big portions of pages, but
there is already KVM_MAX_HUGEPAGE_LEVEL, though warning happens in
memslot_rmap_alloc() when level = 1, base_gfn = 0, e.g.
on the very first KVM_NR_PAGE_SIZES iteration.
This is, seems, valid for early Linux versions as well. Can't tell which is
exactly can be considered for git bisect.
Here is Commit d89cc617b954af ("KVM: Push rmap into kvm_arch_memory_slot") for
example, Linux 3.7.
[1]
Call Trace:
kvmalloc include/linux/mm.h:806 [inline]
kvmalloc_array include/linux/mm.h:824 [inline]
kvcalloc include/linux/mm.h:829 [inline]
memslot_rmap_alloc+0xf6/0x310 arch/x86/kvm/x86.c:11320
kvm_alloc_memslot_metadata arch/x86/kvm/x86.c:11388 [inline]
kvm_arch_prepare_memory_region+0x48d/0x610 arch/x86/kvm/x86.c:11462
kvm_set_memslot+0xfe/0x1700 arch/x86/kvm/../../../virt/kvm/kvm_main.c:1505
...
kvm_set_memory_region arch/x86/kvm/../../../virt/kvm/kvm_main.c:1689 [inline]
kvm_vm_ioctl_set_memory_region arch/x86/kvm/../../../virt/kvm/kvm_main.c:1701
Reported-by: syzbot+e0de2333cbf95ea473e8@syzkaller.appspotmail.com
Change-Id: I953b2eb78c5f634eea595da0fd9d86c75f16a8f9
Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
2 files changed
