lguest: fix spurious BUG_ON() on invalid guest stack.

upstream commit: 6afbdd059c27330eccbd85943354f94c2b83a7fe

Impact: fix crash on misbehaving guest

gpte_addr() contains a BUG_ON(), insisting that the present flag is
set.  We need to return before we call it if that isn't the case.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Cc: stable@kernel.org
Signed-off-by: Chris Wright <chrisw@sous-sol.org>

diff --git a/drivers/lguest/page_tables.c b/drivers/lguest/page_tables.c
index 576a8318221c9dfe47dc28a660565094c9ef7753..82ff484bd8c8e9629625a4ddf8d016484aab8055 100644 (file)
--- a/drivers/lguest/page_tables.c
+++ b/drivers/lguest/page_tables.c
@@ -373,8 +373,10 @@ unsigned long guest_pa(struct lg_cpu *cpu, unsigned long vaddr)
        /* First step: get the top-level Guest page table entry. */
        gpgd = lgread(cpu, gpgd_addr(cpu, vaddr), pgd_t);
        /* Toplevel not present?  We can't map it in. */
-       if (!(pgd_flags(gpgd) & _PAGE_PRESENT))
+       if (!(pgd_flags(gpgd) & _PAGE_PRESENT)) {
                kill_guest(cpu, "Bad address %#lx", vaddr);
+               return -1UL;
+       }
 
        gpte = lgread(cpu, gpte_addr(gpgd, vaddr), pte_t);
        if (!(pte_flags(gpte) & _PAGE_PRESENT))