KVM: nSVM: Avoid freeing uninitialized pointers in svm_set_nested_sta…

…te() The save and ctl pointers are passed uninitialized to kfree() when svm_set_nested_state() follows the 'goto out_set_gif' path. While the issue could've been fixed by initializing these on-stack varialbles to NULL, it seems preferable to eliminate 'out_set_gif' label completely as it is not actually a failure path and duplicating a single svm_set_gif() call doesn't look too bad. [ bp: Drop obscure Addresses-Coverity: tag. ] Fixes: 6ccbd29 ("KVM: SVM: nested: Don't allocate VMCB structures on stack") Reported-by: Dan Carpenter <[email protected]> Reported-by: Joerg Roedel <[email protected]> Reported-by: Colin King <[email protected]> Signed-off-by: Vitaly Kuznetsov <[email protected]> Signed-off-by: Borislav Petkov <[email protected]> Reviewed-by: Sean Christopherson <[email protected]> Acked-by: Joerg Roedel <[email protected]> Tested-by: Tom Lendacky <[email protected]> Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Paolo Bonzini <[email protected]>
sourajitk · Sep 28, 2020 · d5cd6f3 · d5cd6f3
1 parent 2e3df76
commit d5cd6f3
Showing 1 changed file with 3 additions and 5 deletions.
diff --git a/arch/x86/kvm/svm/nested.c b/arch/x86/kvm/svm/nested.c
@@ -1094,7 +1094,8 @@ static int svm_set_nested_state(struct kvm_vcpu *vcpu,
 
 	if (!(kvm_state->flags & KVM_STATE_NESTED_GUEST_MODE)) {
 		svm_leave_nested(svm);
-		goto out_set_gif;
+		svm_set_gif(svm, !!(kvm_state->flags & KVM_STATE_NESTED_GIF_SET));
+		return 0;
 	}
 
 	if (!page_address_valid(vcpu, kvm_state->hdr.svm.vmcb_pa))
@@ -1148,10 +1149,7 @@ static int svm_set_nested_state(struct kvm_vcpu *vcpu,
 	nested_prepare_vmcb_control(svm);
 
 	if (!nested_svm_vmrun_msrpm(svm))
-		return -EINVAL;
-
-out_set_gif:
-	svm_set_gif(svm, !!(kvm_state->flags & KVM_STATE_NESTED_GIF_SET));
+		goto out_free;
 
 	ret = 0;
 out_free: