KVM: x86: Bug the VM on an out-of-bounds data read

Bug the VM and terminate emulation if an out-of-bounds read into the
emulator's data cache occurs.  Knowingly contuining on all but guarantees
that KVM will overwrite random kernel data, which is far, far worse than
killing the VM.

Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20220526210817.3428868-9-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 2aa17462a9acef14ba7738947baf6c270bc019cb..39ea9138224c62b434b917b77ed4cd66662ecc55 100644 (file)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1373,7 +1373,8 @@ static int read_emulated(struct x86_emulate_ctxt *ctxt,
        if (mc->pos < mc->end)
                goto read_cached;
 
-       WARN_ON((mc->end + size) >= sizeof(mc->data));
+       if (KVM_EMULATOR_BUG_ON((mc->end + size) >= sizeof(mc->data), ctxt))
+               return X86EMUL_UNHANDLEABLE;
 
        rc = ctxt->ops->read_emulated(ctxt, addr, mc->data + mc->end, size,
                                      &ctxt->exception);