From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DBE4DC43381 for ; Mon, 18 Feb 2019 16:53:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A34E62177E for ; Mon, 18 Feb 2019 16:53:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Jnzn1UuQ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732945AbfBRQxi (ORCPT ); Mon, 18 Feb 2019 11:53:38 -0500 Received: from mail-qk1-f202.google.com ([209.85.222.202]:53180 "EHLO mail-qk1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730868AbfBRQxi (ORCPT ); Mon, 18 Feb 2019 11:53:38 -0500 Received: by mail-qk1-f202.google.com with SMTP id a65so15345037qkf.19 for ; Mon, 18 Feb 2019 08:53:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=sdCIpGiU+NajscFNNiAsmqluzvygitCcjKxsmcQhqdQ=; b=Jnzn1UuQOxyPr2+ZHOmxsp90c9zqMq2QB55jw7/BGYZq/jmqHoTV1+p/o5zhvyM34S nsYKTJICYa6XJT9vaNfWeV2X/LpAQaGHphx/ZTS1q2R0vt9E+A81cEH8VciGhw9O7zay H+06SEW5FA1hlA/7748XxYej7SEGgv5Ol/Gg8MwmZNntY12HoPPCPIpsmKV5AfBRyWNL bwWRf9vpmegMTOqR67eUx3sowC/qCQSquohjw2Nr9HRnnjMuqdTCpaVQ+QHKlrDtsy8K FnCJ0BWPWvAanG6AxAj2YPALEP03b+Ft+r96jluOBhQVB2FORRbhrPptnhNwiloqd6My Np2A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=sdCIpGiU+NajscFNNiAsmqluzvygitCcjKxsmcQhqdQ=; b=YVnZKq5eXDt5q1KOG0JJPi0b1AMezxPSp9pYroAPHkc5/SV9bNXm9d3cIIN3VXq+S8 SkI2Ga6Yhc7eK5zliMTQ5Vl5ZI7K/iZlmC5R/WMjA1Vx5GbjwbBB5zQyrPp2TAuPhAuv 5vqYUlN9U8Ogscek9vgOteJRSaXzl4fqn1KlsGTNfrldX8Anh7BrRGVvPYHNC4MdeSxP rERS9O16NPRLwmYJelkVC18TmpUpiIfd+wgt+FW3nS71wPHBhRQGMNuGfwdmVYC1C6XQ 8bfzwP+Qrtcr7mkxfRAMqCCKK7isOIVs2dahJbLRGFihyWDJSAuG7clNZgPlLH6rL0ID RZwQ== X-Gm-Message-State: AHQUAubVHUOMoiI9ZYY/M0ZcjMT0y9MIztAB++UMX3B8kRmrRlL0rMNF 6sDnES05qI8e49uogwSudw1YPbadkKLJ1batGxew/uW9qW8lbBVpsI9JSBScCJ45LJVWdQJyUrc Xhus0LIPVVypV/1ZfinRdh2EWYleNAHQa5t6zfMMns5PuAHgp6rYqoy0a/GA= X-Google-Smtp-Source: AHgI3IbG/b0wdwgtjbJp9em7JN+v6eXeq8x+x6Xls+L9MzkNJV6xdiKEEekuY/O2VNlfDxtAgr+/Sf9SKw== X-Received: by 2002:ac8:2e8d:: with SMTP id h13mr14031126qta.62.1550508817182; Mon, 18 Feb 2019 08:53:37 -0800 (PST) Date: Mon, 18 Feb 2019 17:53:28 +0100 Message-Id: <20190218165328.100978-1-jannh@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.21.0.rc0.258.g878e2cd30e-goog Subject: [PATCH 3.18,4.4] kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) From: Jann Horn To: stable@vger.kernel.org, jannh@google.com Cc: Paolo Bonzini Content-Type: text/plain; charset="UTF-8" Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org commit cfa39381173d5f969daf43582c95ad679189cbc9 upstream. kvm_ioctl_create_device() does the following: 1. creates a device that holds a reference to the VM object (with a borrowed reference, the VM's refcount has not been bumped yet) 2. initializes the device 3. transfers the reference to the device to the caller's file descriptor table 4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real reference The ownership transfer in step 3 must not happen before the reference to the VM becomes a proper, non-borrowed reference, which only happens in step 4. After step 3, an attacker can close the file descriptor and drop the borrowed reference, which can cause the refcount of the kvm object to drop to zero. This means that we need to grab a reference for the device before anon_inode_getfd(), otherwise the VM can disappear from under us. Fixes: 852b6d57dc7f ("kvm: add device control API") Cc: stable@kernel.org Signed-off-by: Jann Horn --- virt/kvm/kvm_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index e4be695eb789..fce48d11ae07 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -2711,14 +2711,15 @@ static int kvm_ioctl_create_device(struct kvm *kvm, return ret; } + kvm_get_kvm(kvm); ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); if (ret < 0) { + kvm_put_kvm(kvm); ops->destroy(dev); return ret; } list_add(&dev->vm_node, &kvm->devices); - kvm_get_kvm(kvm); cd->fd = ret; return 0; } -- 2.21.0.rc0.258.g878e2cd30e-goog