{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect()\n\nKASAN reports the following issue:\n\n BUG: KASAN: stack-out-of-bounds in kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n Read of size 8 at addr ffffc9001364f638 by task qemu-kvm/4798\n\n CPU: 0 PID: 4798 Comm: qemu-kvm Tainted: G X --------- ---\n Hardware name: AMD Corporation DAYTONA_X/DAYTONA_X, BIOS RYM0081C 07/13/2020\n Call Trace:\n dump_stack+0xa5/0xe6\n print_address_description.constprop.0+0x18/0x130\n ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n __kasan_report.cold+0x7f/0x114\n ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n kasan_report+0x38/0x50\n kasan_check_range+0xf5/0x1d0\n kvm_make_vcpus_request_mask+0x174/0x440 [kvm]\n kvm_make_scan_ioapic_request_mask+0x84/0xc0 [kvm]\n ? kvm_arch_exit+0x110/0x110 [kvm]\n ? sched_clock+0x5/0x10\n ioapic_write_indirect+0x59f/0x9e0 [kvm]\n ? static_obj+0xc0/0xc0\n ? __lock_acquired+0x1d2/0x8c0\n ? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm]\n\nThe problem appears to be that 'vcpu_bitmap' is allocated as a single long\non stack and it should really be KVM_MAX_VCPUS long. We also seem to clear\nthe lower 16 bits of it with bitmap_zero() for no particular reason (my\nguess would be that 'bitmap' and 'vcpu_bitmap' variables in\nkvm_bitmap_or_dest_vcpus() caused the confusion: while the later is indeed\n16-bit long, the later should accommodate all possible vCPUs)." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "arch/x86/kvm/ioapic.c" ], "versions": [ { "version": "7ee30bc132c6", "lessThan": "bebabb76ad9a", "status": "affected", "versionType": "git" }, { "version": "7ee30bc132c6", "lessThan": "99a9e9b80f19", "status": "affected", "versionType": "git" }, { "version": "7ee30bc132c6", "lessThan": "2f9b68f57c62", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "arch/x86/kvm/ioapic.c" ], "versions": [ { "version": "5.5", "status": "affected" }, { "version": "0", "lessThan": "5.5", "status": "unaffected", "versionType": "custom" }, { "version": "5.10.71", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.14.10", "lessThanOrEqual": "5.14.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.15", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/bebabb76ad9acca8858e0371e102fb60d708e25b" }, { "url": "https://git.kernel.org/stable/c/99a9e9b80f19fc63be005a33d76211dd23114792" }, { "url": "https://git.kernel.org/stable/c/2f9b68f57c6278c322793a06063181deded0ad69" } ], "title": "KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect()", "x_generator": { "engine": "bippy-a5840b7849dd" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2021-47390", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }