From 942d6ddd3f4bb401b0cf183fec476055c813400b Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 19 Sep 2019 17:10:20 +0200
Subject: [PATCH] KVM: coalesced_mmio: add bounds checking (CVE-2019-14821)

---
 debian/changelog                              |  1 +
 ...M-coalesced_mmio-add-bounds-checking.patch | 79 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 81 insertions(+)
 create mode 100644 debian/patches/bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch

diff --git a/debian/changelog b/debian/changelog
index 5dde8228e..850a409cb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@ linux (4.19.67-2+deb10u1) UNRELEASED; urgency=medium
   [ Salvatore Bonaccorso ]
   * vhost: make sure log_num < in_num (CVE-2019-14835)
   * [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902)
+  * KVM: coalesced_mmio: add bounds checking (CVE-2019-14821)
 
  -- Romain Perier <romain.perier@gmail.com>  Wed, 28 Aug 2019 13:28:09 +0200
 
diff --git a/debian/patches/bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch b/debian/patches/bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch
new file mode 100644
index 000000000..d8fc61ebb
--- /dev/null
+++ b/debian/patches/bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch
@@ -0,0 +1,79 @@
+From: Matt Delco <delco@chromium.org>
+Date: Mon, 16 Sep 2019 14:16:54 -0700
+Subject: KVM: coalesced_mmio: add bounds checking
+Origin: https://git.kernel.org/linus/b60fe990c6b07ef6d4df67bc0530c7c90a62623a
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14821
+
+The first/last indexes are typically shared with a user app.
+The app can change the 'last' index that the kernel uses
+to store the next result.  This change sanity checks the index
+before using it for writing to a potentially arbitrary address.
+
+This fixes CVE-2019-14821.
+
+Cc: stable@vger.kernel.org
+Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)")
+Signed-off-by: Matt Delco <delco@chromium.org>
+Signed-off-by: Jim Mattson <jmattson@google.com>
+Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
+[Use READ_ONCE. - Paolo]
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+[Salvatore Bonaccorso: backport to 4.19: Adjust for context changes, cherry-pick
+ commit from stable-queue for 4.19.75]
+---
+ virt/kvm/coalesced_mmio.c |   17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/virt/kvm/coalesced_mmio.c
++++ b/virt/kvm/coalesced_mmio.c
+@@ -40,7 +40,7 @@ static int coalesced_mmio_in_range(struc
+ 	return 1;
+ }
+ 
+-static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
++static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last)
+ {
+ 	struct kvm_coalesced_mmio_ring *ring;
+ 	unsigned avail;
+@@ -52,7 +52,7 @@ static int coalesced_mmio_has_room(struc
+ 	 * there is always one unused entry in the buffer
+ 	 */
+ 	ring = dev->kvm->coalesced_mmio_ring;
+-	avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX;
++	avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX;
+ 	if (avail == 0) {
+ 		/* full */
+ 		return 0;
+@@ -67,24 +67,27 @@ static int coalesced_mmio_write(struct k
+ {
+ 	struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
+ 	struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
++	__u32 insert;
+ 
+ 	if (!coalesced_mmio_in_range(dev, addr, len))
+ 		return -EOPNOTSUPP;
+ 
+ 	spin_lock(&dev->kvm->ring_lock);
+ 
+-	if (!coalesced_mmio_has_room(dev)) {
++	insert = READ_ONCE(ring->last);
++	if (!coalesced_mmio_has_room(dev, insert) ||
++	    insert >= KVM_COALESCED_MMIO_MAX) {
+ 		spin_unlock(&dev->kvm->ring_lock);
+ 		return -EOPNOTSUPP;
+ 	}
+ 
+ 	/* copy data in first free entry of the ring */
+ 
+-	ring->coalesced_mmio[ring->last].phys_addr = addr;
+-	ring->coalesced_mmio[ring->last].len = len;
+-	memcpy(ring->coalesced_mmio[ring->last].data, val, len);
++	ring->coalesced_mmio[insert].phys_addr = addr;
++	ring->coalesced_mmio[insert].len = len;
++	memcpy(ring->coalesced_mmio[insert].data, val, len);
+ 	smp_wmb();
+-	ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX;
++	ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX;
+ 	spin_unlock(&dev->kvm->ring_lock);
+ 	return 0;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 2108173e4..b0b9b263d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -166,6 +166,7 @@ bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch
 bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch
 bugfix/all/vhost-make-sure-log_num-in_num.patch
 bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch
+bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch