Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

array-index-out-of-bounds in /usr/src/vmware-host-modules/vmmon-only/common/vmx86.c #255

Open
eku opened this issue May 30, 2024 · 4 comments
Open

array-index-out-of-bounds in /usr/src/vmware-host-modules/vmmon-only/common/vmx86.c #255

eku opened this issue May 30, 2024 · 4 comments

Comments

@eku
Copy link

eku commented May 30, 2024

  • Workstation 12.5.9 build-7535481
  • Fedora with Kernel 6.8.10-200.fc39.x86_64
  • Branch workstation-12.5.9 at 0e1d2a8
[  318.713361] ------------[ cut here ]------------
[  318.713363] UBSAN: array-index-out-of-bounds in /usr/src/vmware-host-modules/vmmon-only/common/vmx86.c:2588:25
[  318.713365] index 0 is out of range for type 'MSRReply [*]'
[  318.713366] CPU: 4 PID: 4694 Comm: vmware-vmx Tainted: P        W  OE      6.8.10-200.fc39.x86_64 #1
[  318.713368] Hardware name: Dell Inc.          Dell System XPS L702X, BIOS A16 01/10/2012
[  318.713369] Call Trace:
[  318.713370]  <TASK>
[  318.713372]  dump_stack_lvl+0x64/0x80
[  318.713376]  __ubsan_handle_out_of_bounds+0x95/0xd0
[  318.713380]  Vmx86GetMSR+0x110/0x1d0 [vmmon]
[  318.713390]  ? __pfx_Vmx86GetMSR+0x10/0x10 [vmmon]
[  318.713400]  HostIF_CallOnEachCPU+0x1d/0x50 [vmmon]
[  318.713409]  Vmx86_GetAllMSRs+0x40/0x80 [vmmon]
[  318.713418]  LinuxDriver_Ioctl+0x6d1/0xf20 [vmmon]
[  318.713427]  ? __check_object_size+0x272/0x2e0
[  318.713430]  ? LinuxDriver_Ioctl+0x424/0xf20 [vmmon]
[  318.713438]  ? folio_mark_dirty+0x12/0x60
[  318.713442]  ? shmem_write_end+0x84/0x160
[  318.713446]  ? generic_perform_write+0x15c/0x240
[  318.713450]  ? shmem_file_write_iter+0x5e/0x90
[  318.713453]  ? vfs_write+0x29b/0x470
[  318.713456]  ? syscall_exit_to_user_mode+0x83/0x230
[  318.713459]  ? xas_load+0x41/0x50
[  318.713462]  ? xas_load+0x41/0x50
[  318.713465]  ? filemap_get_entry+0xeb/0x160
[  318.713469]  ? avc_has_extended_perms+0x234/0x520
[  318.713474]  ? ioctl_has_perm.constprop.0.isra.0+0xda/0x130
[  318.713478]  __x64_sys_ioctl+0x94/0xd0
[  318.713482]  do_syscall_64+0x83/0x170
[  318.713484]  ? syscall_exit_to_user_mode+0x83/0x230
[  318.713487]  ? do_syscall_64+0x90/0x170
[  318.713489]  ? do_syscall_64+0x90/0x170
[  318.713491]  ? do_syscall_64+0x90/0x170
[  318.713494]  entry_SYSCALL_64_after_hwframe+0x78/0x80
[  318.713496] RIP: 0033:0x7f29c222a3ed
[  318.713501] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
[  318.713502] RSP: 002b:00007fffebbe20a0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  318.713505] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007f29c222a3ed
[  318.713506] RDX: 00007fffebbe2108 RSI: 00000000000007ee RDI: 000000000000000f
[  318.713507] RBP: 00007fffebbe20f0 R08: 00000000000000d0 R09: 0000000000000001
[  318.713509] R10: 0000000000000004 R11: 0000000000000246 R12: 000000000000008b
[  318.713510] R13: 000055f5e7b1b530 R14: 00007f29c284f000 R15: 0000000000000000
[  318.713512]  </TASK>
[  318.713518] ---[ end trace ]---

Let me know if you need any further information.
@eku
Copy link
Author

eku commented May 30, 2024
edited
Loading

A similiar error happens in /usr/src/vmware-host-modules/vmmon-only/linux/hostif.c

[  318.711364] UBSAN: array-index-out-of-bounds in /usr/src/vmware-host-modules/vmmon-only/linux/hostif.c:2702:60
[  318.711366] index 0 is out of range for type 'CPUIDReply [*]'
[  318.711367] CPU: 4 PID: 4694 Comm: vmware-vmx Tainted: P        W  OE      6.8.10-200.fc39.x86_64 #1
[  318.711369] Hardware name: Dell Inc.          Dell System XPS L702X, BIOS A16 01/10/2012
[  318.711370] Call Trace:
[  318.711371]  <TASK>
[  318.711372]  dump_stack_lvl+0x64/0x80
[  318.711376]  __ubsan_handle_out_of_bounds+0x95/0xd0
[  318.711380]  HostIF_GetAllCpuInfo+0x91/0x110 [vmmon]
[  318.711391]  LinuxDriver_Ioctl+0x3fe/0xf20 [vmmon]
[  318.711400]  ? vsnprintf+0x1dc/0x630
[  318.711404]  ? seq_printf+0x9a/0xc0
[  318.711406]  ? _copy_to_iter+0x8b/0x620
[  318.711409]  ? _copy_to_iter+0x8b/0x620
[  318.711411]  ? seq_puts+0x3d/0x60
[  318.711414]  ? seq_read_iter+0x208/0x480
[  318.711416]  ? __rmqueue_pcplist+0xdf/0xff0
[  318.711419]  ? vfs_read+0x24c/0x380
[  318.711422]  ? post_alloc_hook+0xce/0x130
[  318.711425]  ? get_page_from_freelist+0x60e/0x1d00
[  318.711428]  ? avc_has_extended_perms+0x234/0x520
[  318.711433]  ? ioctl_has_perm.constprop.0.isra.0+0xda/0x130
[  318.711437]  __x64_sys_ioctl+0x94/0xd0
[  318.711441]  do_syscall_64+0x83/0x170
[  318.711443]  ? __handle_mm_fault+0xb46/0xe40
[  318.711446]  ? __count_memcg_events+0x69/0x100
[  318.711449]  ? count_memcg_events.constprop.0+0x1a/0x30
[  318.711452]  ? handle_mm_fault+0xa2/0x360
[  318.711454]  ? do_user_addr_fault+0x304/0x690
[  318.711458]  entry_SYSCALL_64_after_hwframe+0x78/0x80
[  318.711460] RIP: 0033:0x7f29c222a3ed
[  318.711464] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
[  318.711466] RSP: 002b:00007fffebbe1fe0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  318.711468] RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007f29c222a3ed
[  318.711469] RDX: 00007fffebbe2048 RSI: 00000000000007f8 RDI: 000000000000000f
[  318.711471] RBP: 00007fffebbe2030 R08: 000055f5e7b10190 R09: 0000000000000000
[  318.711472] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  318.711473] R13: 0000000000000008 R14: 00007f29c284f000 R15: 0000000000000000
[  318.711476]  </TASK>
[  318.711484] ---[ end trace ]---

@richardm1
Copy link

Similar here with kernel 6.8.9-300.fc40.x86_64 (Fedora 40) and VMware Workstation 17.5.2.

UBSAN: array-index-out-of-bounds in /home/ram/Downloads/vmware-host-modules/vmmon-only/common/vmx86.c:3652:38
[  +0.000001] index 0 is out of range for type 'MSRReply [*]
[  +0.000000] CPU: 6 PID: 1135 Comm: modprobe Tainted: G        W  OE      6.8.9-300.fc40.x86_64 #1
[  +0.000001] Hardware name: ASUS System Product Name/ProArt B650-CREATOR, BIOS 2007 04/12/2024
[  +0.000001] Call Trace:
[  +0.000001]  <TASK>
[  +0.000000]  dump_stack_lvl+0x6a/0x90
[  +0.000002]  __ubsan_handle_out_of_bounds+0x95/0xd0
[  +0.000003]  Vmx86GenFindCommonIntelVTCap+0x1f0/0x1580 [vmmon]
[  +0.000007]  Vmx86_CheckMSRUniformity+0x48d/0x710 [vmmon]
[  +0.000006]  ? __pfx_LinuxDriverInit+0x10/0x10 [vmmon]
[  +0.000006]  LinuxDriverInit+0x56/0x1a0 [vmmon]
[  +0.000005]  ? __pfx_LinuxDriverInit+0x10/0x10 [vmmon]
[  +0.000005]  do_one_initcall+0x58/0x320
[  +0.000004]  do_init_module+0x90/0x270
[  +0.000002]  init_module_from_file+0x86/0xc0
[  +0.000004]  idempotent_init_module+0x121/0x2b0
[  +0.000004]  __x64_sys_finit_module+0x5e/0xb0
[  +0.000003]  do_syscall_64+0x83/0x170
[  +0.000003]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? __rseq_handle_notify_resume+0xa9/0x500
[  +0.000004]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? switch_fpu_return+0x4f/0xe0
[  +0.000002]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? syscall_exit_to_user_mode+0x83/0x230
[  +0.000001]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000002]  ? do_syscall_64+0x8f/0x170
[  +0.000002]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000002]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? syscall_exit_to_user_mode+0x83/0x230
[  +0.000001]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? do_syscall_64+0x8f/0x170
[  +0.000003]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? vfs_statx+0x93/0x1c0
[  +0.000002]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? vfs_fstatat+0x94/0xb0
[  +0.000003]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? __do_sys_newfstatat+0x3c/0x80
[  +0.000004]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? syscall_exit_to_user_mode+0x83/0x230
[  +0.000001]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? do_syscall_64+0x8f/0x170
[  +0.000002]  ? do_user_addr_fault+0x304/0x690
[  +0.000003]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000001]  ? srso_alias_return_thunk+0x5/0xfbef5
[  +0.000002]  entry_SYSCALL_64_after_hwframe+0x78/0x80
[  +0.000001] RIP: 0033:0x7fd464b2918d
[  +0.000002] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b cc 0c 00 f7 d8 64 89 01 48
[  +0.000001] RSP: 002b:00007ffd3a9d1e98 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[  +0.000001] RAX: ffffffffffffffda RBX: 000055aa99115e10 RCX: 00007fd464b2918d
[  +0.000001] RDX: 0000000000000000 RSI: 000055aa98efbe79 RDI: 0000000000000003
[  +0.000001] RBP: 00007ffd3a9d1f50 R08: 00007fd464bf6b20 R09: 0000000000000000
[  +0.000001] R10: 000055aa991160d0 R11: 0000000000000246 R12: 000055aa98efbe79
[  +0.000001] R13: 0000000000040000 R14: 000055aa99115db0 R15: 000055aa9911d490
[  +0.000003]  </TASK>
[  +0.000001] ---[ end trace ]---

@sluzynsk
Copy link

Same issue on Ubuntu 24.04 with the 6.8.0 kernel and Workstation 17.5.2.

[ 1704.099226] UBSAN: array-index-out-of-bounds in /home/sluzynsk/source/vmware-host-modules/vmmon-only/common/moduleloop.c:341:49
[ 1704.099230] index 0 is out of range for type 'MSRReply [*]'
[ 1704.099232] CPU: 1 PID: 14397 Comm: vmx-vcpu-0 Tainted: G OE 6.8.0-35-generic #35-Ubuntu
[ 1704.099234] Hardware name: Hewlett-Packard HP EliteDesk 800 G1 SFF/1998, BIOS L01 v02.77 04/17/2019
[ 1704.099236] Call Trace:
[ 1704.099238]
[ 1704.099240] dump_stack_lvl+0x48/0x70
[ 1704.099250] dump_stack+0x10/0x20
[ 1704.099252] __ubsan_handle_out_of_bounds+0xc6/0x110
[ 1704.099257] Vmx86_RunVM+0x401/0x7d0 [vmmon]
[ 1704.099269] ? radix_tree_lookup+0xd/0x20
[ 1704.099274] LinuxDriver_Ioctl+0xac9/0x1320 [vmmon]
[ 1704.099281] ? vfs_write+0x322/0x480
[ 1704.099285] ? vfs_write+0x322/0x480
[ 1704.099288] ? __f_unlock_pos+0x12/0x20
[ 1704.099292] ? ksys_write+0xe6/0x100
[ 1704.099295] __x64_sys_ioctl+0xa3/0xf0
[ 1704.099298] ? __pfx_LinuxDriver_Ioctl+0x10/0x10 [vmmon]
[ 1704.099303] ? __x64_sys_ioctl+0xa3/0xf0
[ 1704.099305] x64_sys_call+0x143b/0x25c0
[ 1704.099307] do_syscall_64+0x7f/0x180
[ 1704.099311] ? syscall_exit_to_user_mode+0x86/0x260
[ 1704.099313] ? do_syscall_64+0x8c/0x180
[ 1704.099315] ? irqentry_exit_to_user_mode+0x7b/0x260
[ 1704.099317] ? irqentry_exit+0x43/0x50
[ 1704.099318] ? exc_page_fault+0x94/0x1b0
[ 1704.099319] entry_SYSCALL_64_after_hwframe+0x78/0x80
[ 1704.099322] RIP: 0033:0x76b3e8524ded
[ 1704.099340] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1a 48 8b 45 c8 64 48 2b 04 25 28 00 00 00
[ 1704.099341] RSP: 002b:000076b272ffc820 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1704.099343] RAX: ffffffffffffffda RBX: 000063af61a088b8 RCX: 000076b3e8524ded
[ 1704.099345] RDX: 0000000000000000 RSI: 00000000000007d8 RDI: 000000000000000f
[ 1704.099346] RBP: 000076b272ffc870 R08: 000063af62f4af40 R09: 0000000000000000
[ 1704.099346] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000138
[ 1704.099348] R13: 000076b3e86d6388 R14: 000076b3e86d63a0 R15: 00007ffca058e380
[ 1704.099349]
[ 1704.099350] ---[ end trace ]---

@mack-w
Copy link

mack-w commented Jun 20, 2024

duplicate of #243

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@eku @sluzynsk @richardm1 @mack-w