[PATCH] KVM: coalesced_mmio: Fix out-of-bounds write in coalesced_mmio_write()

Next message: Bird, Tim: "RE: [PATCH] printk: add early_counter_ns routine for printk blind spot"
Previous message: Andrew Jeffery: "Re: [PATCH v4 2/2] dts: aspeed: Add a dts for the nvidia msx4 hpm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: redacherkaoui

Date: Wed Nov 26 2025 - 19:11:45 EST

From: redahack12-glitch <redahack12@xxxxxxxxx>

The coalesced MMIO ring stores each entry's MMIO payload in an 8-byte
fixed-size buffer (data[8]). However, coalesced_mmio_write() copies
the payload using memcpy(..., len) without verifying that 'len' does not
exceed the buffer size.

A malicious or buggy caller could therefore trigger a write past the end
of the data[] array and corrupt adjacent kernel memory inside the ring
page.

Add a bounds check to reject writes where len > sizeof(data).

Signed-off-by: REDA CHERKAOUI <redacherkaoui67@xxxxxxxxx>
---
virt/kvm/coalesced_mmio.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c
index 375d6285475e..4f302713de9e 100644
--- a/virt/kvm/coalesced_mmio.c
+++ b/virt/kvm/coalesced_mmio.c
@@ -68,6 +68,14 @@ static int coalesced_mmio_write(struct kvm_vcpu *vcpu,

/* copy data in first free entry of the ring */

+ /* Prevent overflow of the fixed 8-byte data[] field */
+ if (len > sizeof(ring->coalesced_mmio[insert].data)) {
+ spin_unlock(&dev->kvm->ring_lock);
+ pr_warn_ratelimited("KVM: coalesced MMIO write too large (%d > %zu)\n",
+ len, sizeof(ring->coalesced_mmio[insert].data));
+ return -E2BIG;
+ }
+
ring->coalesced_mmio[insert].phys_addr = addr;
ring->coalesced_mmio[insert].len = len;
memcpy(ring->coalesced_mmio[insert].data, val, len);
--
2.43.0