search

mkubecek / vmware-host-modules

Patches needed to build VMware (Player and Workstation) host modules against recent kernels
GNU General Public License v2.0
2.14k stars 336 forks source link

array-index-out-of-bounds in /usr/src/vmware-host-modules/vmmon-only/common/vmx86.c #255

Open eku opened 1 month ago

eku commented 1 month ago 
[  318.713361] ------------[ cut here ]------------
[  318.713363] UBSAN: array-index-out-of-bounds in /usr/src/vmware-host-modules/vmmon-only/common/vmx86.c:2588:25
[  318.713365] index 0 is out of range for type 'MSRReply [*]'
[  318.713366] CPU: 4 PID: 4694 Comm: vmware-vmx Tainted: P        W  OE      6.8.10-200.fc39.x86_64 #1
[  318.713368] Hardware name: Dell Inc.          Dell System XPS L702X, BIOS A16 01/10/2012
[  318.713369] Call Trace:
[  318.713370]  <TASK>
[  318.713372]  dump_stack_lvl+0x64/0x80
[  318.713376]  __ubsan_handle_out_of_bounds+0x95/0xd0
[  318.713380]  Vmx86GetMSR+0x110/0x1d0 [vmmon]
[  318.713390]  ? __pfx_Vmx86GetMSR+0x10/0x10 [vmmon]
[  318.713400]  HostIF_CallOnEachCPU+0x1d/0x50 [vmmon]
[  318.713409]  Vmx86_GetAllMSRs+0x40/0x80 [vmmon]
[  318.713418]  LinuxDriver_Ioctl+0x6d1/0xf20 [vmmon]
[  318.713427]  ? __check_object_size+0x272/0x2e0
[  318.713430]  ? LinuxDriver_Ioctl+0x424/0xf20 [vmmon]
[  318.713438]  ? folio_mark_dirty+0x12/0x60
[  318.713442]  ? shmem_write_end+0x84/0x160
[  318.713446]  ? generic_perform_write+0x15c/0x240
[  318.713450]  ? shmem_file_write_iter+0x5e/0x90
[  318.713453]  ? vfs_write+0x29b/0x470
[  318.713456]  ? syscall_exit_to_user_mode+0x83/0x230
[  318.713459]  ? xas_load+0x41/0x50
[  318.713462]  ? xas_load+0x41/0x50
[  318.713465]  ? filemap_get_entry+0xeb/0x160
[  318.713469]  ? avc_has_extended_perms+0x234/0x520
[  318.713474]  ? ioctl_has_perm.constprop.0.isra.0+0xda/0x130
[  318.713478]  __x64_sys_ioctl+0x94/0xd0
[  318.713482]  do_syscall_64+0x83/0x170
[  318.713484]  ? syscall_exit_to_user_mode+0x83/0x230
[  318.713487]  ? do_syscall_64+0x90/0x170
[  318.713489]  ? do_syscall_64+0x90/0x170
[  318.713491]  ? do_syscall_64+0x90/0x170
[  318.713494]  entry_SYSCALL_64_after_hwframe+0x78/0x80
[  318.713496] RIP: 0033:0x7f29c222a3ed
[  318.713501] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
[  318.713502] RSP: 002b:00007fffebbe20a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  318.713505] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007f29c222a3ed
[  318.713506] RDX: 00007fffebbe2108 RSI: 00000000000007ee RDI: 000000000000000f
[  318.713507] RBP: 00007fffebbe20f0 R08: 00000000000000d0 R09: 0000000000000001
[  318.713509] R10: 0000000000000004 R11: 0000000000000246 R12: 000000000000008b
[  318.713510] R13: 000055f5e7b1b530 R14: 00007f29c284f000 R15: 0000000000000000
[  318.713512]  </TASK>
[  318.713518] ---[ end trace ]---

Let me know if you need any further information.

eku commented 1 month ago

A similiar error happens in /usr/src/vmware-host-modules/vmmon-only/linux/hostif.c

[  318.711364] UBSAN: array-index-out-of-bounds in /usr/src/vmware-host-modules/vmmon-only/linux/hostif.c:2702:60
[  318.711366] index 0 is out of range for type 'CPUIDReply [*]'
[  318.711367] CPU: 4 PID: 4694 Comm: vmware-vmx Tainted: P        W  OE      6.8.10-200.fc39.x86_64 #1
[  318.711369] Hardware name: Dell Inc.          Dell System XPS L702X, BIOS A16 01/10/2012
[  318.711370] Call Trace:
[  318.711371]  <TASK>
[  318.711372]  dump_stack_lvl+0x64/0x80
[  318.711376]  __ubsan_handle_out_of_bounds+0x95/0xd0
[  318.711380]  HostIF_GetAllCpuInfo+0x91/0x110 [vmmon]
[  318.711391]  LinuxDriver_Ioctl+0x3fe/0xf20 [vmmon]
[  318.711400]  ? vsnprintf+0x1dc/0x630
[  318.711404]  ? seq_printf+0x9a/0xc0
[  318.711406]  ? _copy_to_iter+0x8b/0x620
[  318.711409]  ? _copy_to_iter+0x8b/0x620
[  318.711411]  ? seq_puts+0x3d/0x60
[  318.711414]  ? seq_read_iter+0x208/0x480
[  318.711416]  ? __rmqueue_pcplist+0xdf/0xff0
[  318.711419]  ? vfs_read+0x24c/0x380
[  318.711422]  ? post_alloc_hook+0xce/0x130
[  318.711425]  ? get_page_from_freelist+0x60e/0x1d00
[  318.711428]  ? avc_has_extended_perms+0x234/0x520
[  318.711433]  ? ioctl_has_perm.constprop.0.isra.0+0xda/0x130
[  318.711437]  __x64_sys_ioctl+0x94/0xd0
[  318.711441]  do_syscall_64+0x83/0x170
[  318.711443]  ? __handle_mm_fault+0xb46/0xe40
[  318.711446]  ? __count_memcg_events+0x69/0x100
[  318.711449]  ? count_memcg_events.constprop.0+0x1a/0x30
[  318.711452]  ? handle_mm_fault+0xa2/0x360
[  318.711454]  ? do_user_addr_fault+0x304/0x690
[  318.711458]  entry_SYSCALL_64_after_hwframe+0x78/0x80
[  318.711460] RIP: 0033:0x7f29c222a3ed
[  318.711464] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
[  318.711466] RSP: 002b:00007fffebbe1fe0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  318.711468] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007f29c222a3ed
[  318.711469] RDX: 00007fffebbe2048 RSI: 00000000000007f8 RDI: 000000000000000f
[  318.711471] RBP: 00007fffebbe2030 R08: 000055f5e7b10190 R09: 0000000000000000
[  318.711472] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  318.711473] R13: 0000000000000008 R14: 00007f29c284f000 R15: 0000000000000000
[  318.711476]  </TASK>
[  318.711484] ---[ end trace ]---
richardm1 commented 1 month ago

Similar here with kernel 6.8.9-300.fc40.x86_64 (Fedora 40) and VMware Workstation 17.5.2.

UBSAN: array-index-out-of-bounds in /home/ram/Downloads/vmware-host-modules/vmmon-only/common/vmx86.c:3652:38
[  +0.000001] index 0 is out of range for type 'MSRReply [*]
[  +0.000000] CPU: 6 PID: 1135 Comm: modprobe Tainted: G        W  OE      6.8.9-300.fc40.x86_64 #1
[  +0.000001] Hardware name: ASUS System Product Name/ProArt B650-CREATOR, BIOS 2007 04/12/2024
[  +0.000001] Call Trace:
[  +0.000001]  <TASK>
[  +0.000000]  dump_stack_lvl+0x6a/0x90
[  +0.000002]  __ubsan_handle_out_of_bounds+0x95/0xd0
[  +0.000003]  Vmx86GenFindCommonIntelVTCap+0x1f0/0x1580 [vmmon]
[  +0.000007]  Vmx86_CheckMSRUniformity+0x48d/0x710 [vmmon]
[  +0.000006]  ? __pfx_LinuxDriverInit+0x10/0x10 [vmmon]
[  +0.000006]  LinuxDriverInit+0x56/0x1a0 [vmmon]
[  +0.000005]  ? __pfx_LinuxDriverInit+0x10/0x10 [vmmon]
[  +0.000005]  do_one_initcall+0x58/0x320
[  +0.000004]  do_init_module+0x90/0x270
[  +0.000002]  init_module_from_file+0x86/0xc0
[  +0.000004]  idempotent_init_module+0x121/0x2b0
[  +0.000004]  __x64_sys_finit_module+0x5e/0xb0
[  +0.000003]  do_syscall_64+0x83/0x170
[  +0.000003]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? __rseq_handle_notify_resume+0xa9/0x500
[  +0.000004]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? switch_fpu_return+0x4f/0xe0
[  +0.000002]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? syscall_exit_to_user_mode+0x83/0x230
[  +0.000001]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000002]  ? do_syscall_64+0x8f/0x170
[  +0.000002]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000002]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? syscall_exit_to_user_mode+0x83/0x230
[  +0.000001]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? do_syscall_64+0x8f/0x170
[  +0.000003]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? vfs_statx+0x93/0x1c0
[  +0.000002]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? vfs_fstatat+0x94/0xb0
[  +0.000003]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? __do_sys_newfstatat+0x3c/0x80
[  +0.000004]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? syscall_exit_to_user_mode+0x83/0x230
[  +0.000001]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? do_syscall_64+0x8f/0x170
[  +0.000002]  ? do_user_addr_fault+0x304/0x690
[  +0.000003]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000002]  entry_SYSCALL_64_after_hwframe+0x78/0x80
[  +0.000001] RIP: 0033:0x7fd464b2918d
[  +0.000002] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b cc 0c 00 f7 d8 64 89 01 48
[  +0.000001] RSP: 002b:00007ffd3a9d1e98 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[  +0.000001] RAX: ffffffffffffffda RBX: 000055aa99115e10 RCX: 00007fd464b2918d
[  +0.000001] RDX: 0000000000000000 RSI: 000055aa98efbe79 RDI: 0000000000000003
[  +0.000001] RBP: 00007ffd3a9d1f50 R08: 00007fd464bf6b20 R09: 0000000000000000
[  +0.000001] R10: 000055aa991160d0 R11: 0000000000000246 R12: 000055aa98efbe79
[  +0.000001] R13: 0000000000040000 R14: 000055aa99115db0 R15: 000055aa9911d490
[  +0.000003]  </TASK>
[  +0.000001] ---[ end trace ]---
sluzynsk commented 2 weeks ago

Same issue on Ubuntu 24.04 with the 6.8.0 kernel and Workstation 17.5.2.

[ 1704.099226] UBSAN: array-index-out-of-bounds in /home/sluzynsk/source/vmware-host-modules/vmmon-only/common/moduleloop.c:341:49 [ 1704.099230] index 0 is out of range for type 'MSRReply [*]' [ 1704.099232] CPU: 1 PID: 14397 Comm: vmx-vcpu-0 Tainted: G OE 6.8.0-35-generic #35-Ubuntu [ 1704.099234] Hardware name: Hewlett-Packard HP EliteDesk 800 G1 SFF/1998, BIOS L01 v02.77 04/17/2019 [ 1704.099236] Call Trace: [ 1704.099238] [ 1704.099240] dump_stack_lvl+0x48/0x70 [ 1704.099250] dump_stack+0x10/0x20 [ 1704.099252] ubsan_handle_out_of_bounds+0xc6/0x110 [ 1704.099257] Vmx86_RunVM+0x401/0x7d0 [vmmon] [ 1704.099269] ? radix_tree_lookup+0xd/0x20 [ 1704.099274] LinuxDriver_Ioctl+0xac9/0x1320 [vmmon] [ 1704.099281] ? vfs_write+0x322/0x480 [ 1704.099285] ? vfs_write+0x322/0x480 [ 1704.099288] ? f_unlock_pos+0x12/0x20 [ 1704.099292] ? ksys_write+0xe6/0x100 [ 1704.099295] x64_sys_ioctl+0xa3/0xf0 [ 1704.099298] ? pfx_LinuxDriver_Ioctl+0x10/0x10 [vmmon] [ 1704.099303] ? __x64_sys_ioctl+0xa3/0xf0 [ 1704.099305] x64_sys_call+0x143b/0x25c0 [ 1704.099307] do_syscall_64+0x7f/0x180 [ 1704.099311] ? syscall_exit_to_user_mode+0x86/0x260 [ 1704.099313] ? do_syscall_64+0x8c/0x180 [ 1704.099315] ? irqentry_exit_to_user_mode+0x7b/0x260 [ 1704.099317] ? irqentry_exit+0x43/0x50 [ 1704.099318] ? exc_page_fault+0x94/0x1b0 [ 1704.099319] entry_SYSCALL_64_after_hwframe+0x78/0x80 [ 1704.099322] RIP: 0033:0x76b3e8524ded [ 1704.099340] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00 [ 1704.099341] RSP: 002b:000076b272ffc820 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 1704.099343] RAX: ffffffffffffffda RBX: 000063af61a088b8 RCX: 000076b3e8524ded [ 1704.099345] RDX: 0000000000000000 RSI: 00000000000007d8 RDI: 000000000000000f [ 1704.099346] RBP: 000076b272ffc870 R08: 000063af62f4af40 R09: 0000000000000000 [ 1704.099346] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000138 [ 1704.099348] R13: 000076b3e86d6388 R14: 000076b3e86d63a0 R15: 00007ffca058e380 [ 1704.099349] [ 1704.099350] ---[ end trace ]---

mack-w commented 1 week ago

duplicate of #243