KVM: nVMX: really fix the size checks on KVM_SET_NESTED_STATE

The offset for reading the shadow VMCS is sizeof(*kvm_state)+VMCS12_SIZE,
so the correct size must be that plus sizeof(*vmcs12).  This could lead
to KVM reading garbage data from userspace and not reporting an error,
but is otherwise not sensitive.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index f1a69117ac0f1a8b8e73c8df10d8aade220a6ba1..2fd251ded754ae9ffa24434dbe95d5d7d809dc46 100644 (file)
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -5427,7 +5427,7 @@ static int vmx_set_nested_state(struct kvm_vcpu *vcpu,
            vmcs12->vmcs_link_pointer != -1ull) {
                struct vmcs12 *shadow_vmcs12 = get_shadow_vmcs12(vcpu);
 
-               if (kvm_state->size < sizeof(*kvm_state) + 2 * sizeof(*vmcs12))
+               if (kvm_state->size < sizeof(*kvm_state) + VMCS12_SIZE + sizeof(*vmcs12))
                        return -EINVAL;
 
                if (copy_from_user(shadow_vmcs12,