x86/paravirt: Detect over-sized patching bugs in paravirt_patch_insns()

Ingo Molnar · Ingo Molnar · commit 2777cae2b19d · 2019-04-25T12:00:31.000+02:00
So paravirt_patch_insns() contains this gem of logic: unsigned paravirt_patch_insns(void *insnbuf, unsigned len, const char *start, const char *end) { unsigned insn_len = end - start; if (insn_len > len || start == NULL) insn_len = len; else memcpy(insnbuf, start, insn_len); return insn_len; } Note how 'len' (size of the original instruction) is checked against the new instruction, and silently discarded with no warning printed whatsoever. This crashes the kernel in funny ways if the patching template is buggy, and usually in much later places. Instead do a direct BUG_ON(), there's no way to continue successfully at that point. I've tested this patch, with the vanilla kernel check never triggers, and if I intentionally increase the size of one of the patch templates to a too high value the assert triggers: [ 0.164385] kernel BUG at arch/x86/kernel/paravirt.c:167! Without this patch a broken kernel randomly crashes in later places, after the silent patching failure. Cc: Andy Lutomirski <luto@kernel.org> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Juergen Gross <jgross@suse.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Rik van Riel <riel@surriel.com> Cc: Thomas Gleixner <tglx@linutronix.de> Link: http://lkml.kernel.org/r/20190425091717.GA72229@gmail.com Signed-off-by: Ingo Molnar <mingo@kernel.org>
diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c
@@ -163,10 +163,10 @@ unsigned paravirt_patch_insns(void *insnbuf, unsigned len,
 {
 	unsigned insn_len = end - start;
 
-	if (insn_len > len || start == NULL)
-		insn_len = len;
-	else
-		memcpy(insnbuf, start, insn_len);
+	/* Alternative instruction is too large for the patch site and we cannot continue: */
+	BUG_ON(insn_len > len || start == NULL);
+
+	memcpy(insnbuf, start, insn_len);
 
 	return insn_len;
 }

Original file line number	Diff line number	Diff line change
`@@ -163,10 +163,10 @@ unsigned paravirt_patch_insns(void *insnbuf, unsigned len,`
`163`	`163`	`{`
`164`	`164`	`unsigned insn_len = end - start;`
`165`	`165`
`166`		`- if (insn_len > len \|\| start == NULL)`
`167`		`- insn_len = len;`
`168`		`- else`
`169`		`- memcpy(insnbuf, start, insn_len);`
	`166`	`+ /* Alternative instruction is too large for the patch site and we cannot continue: */`
	`167`	`+ BUG_ON(insn_len > len \|\| start == NULL);`
	`168`	`+`
	`169`	`+ memcpy(insnbuf, start, insn_len);`
`170`	`170`
`171`	`171`	`return insn_len;`
`172`	`172`	`}`