CVE-2021-47390

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect()<br /> <br /> KASAN reports the following issue:<br /> <br /> BUG: KASAN: stack-out-of-bounds in kvm_make_vcpus_request_mask+0x174/0x440 [kvm]<br /> Read of size 8 at addr ffffc9001364f638 by task qemu-kvm/4798<br /> <br /> CPU: 0 PID: 4798 Comm: qemu-kvm Tainted: G X --------- ---<br /> Hardware name: AMD Corporation DAYTONA_X/DAYTONA_X, BIOS RYM0081C 07/13/2020<br /> Call Trace:<br /> dump_stack+0xa5/0xe6<br /> print_address_description.constprop.0+0x18/0x130<br /> ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]<br /> __kasan_report.cold+0x7f/0x114<br /> ? kvm_make_vcpus_request_mask+0x174/0x440 [kvm]<br /> kasan_report+0x38/0x50<br /> kasan_check_range+0xf5/0x1d0<br /> kvm_make_vcpus_request_mask+0x174/0x440 [kvm]<br /> kvm_make_scan_ioapic_request_mask+0x84/0xc0 [kvm]<br /> ? kvm_arch_exit+0x110/0x110 [kvm]<br /> ? sched_clock+0x5/0x10<br /> ioapic_write_indirect+0x59f/0x9e0 [kvm]<br /> ? static_obj+0xc0/0xc0<br /> ? __lock_acquired+0x1d2/0x8c0<br /> ? kvm_ioapic_eoi_inject_work+0x120/0x120 [kvm]<br /> <br /> The problem appears to be that &amp;#39;vcpu_bitmap&amp;#39; is allocated as a single long<br /> on stack and it should really be KVM_MAX_VCPUS long. We also seem to clear<br /> the lower 16 bits of it with bitmap_zero() for no particular reason (my<br /> guess would be that &amp;#39;bitmap&amp;#39; and &amp;#39;vcpu_bitmap&amp;#39; variables in<br /> kvm_bitmap_or_dest_vcpus() caused the confusion: while the later is indeed<br /> 16-bit long, the later should accommodate all possible vCPUs).