* [PATCH 0/3] KVM: x86: Prefent NULL prointer dereference in kvm_irq_delivery_to_apic_fast()
@ 2022-03-25 13:21 Vitaly Kuznetsov
2022-03-25 13:21 ` [PATCH 1/3] KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq Vitaly Kuznetsov
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Vitaly Kuznetsov @ 2022-03-25 13:21 UTC (permalink / raw)
To: kvm, Paolo Bonzini
Cc: Sean Christopherson, Wanpeng Li, Jim Mattson, linux-kernel
Syzkaller found the following crash:
general protection fault, probably for non-canonical address
0xdffffc0000000013: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000098-0x000000000000009f]
CPU: 1 PID: 679 Comm: syz-executor210 Not tainted 5.17.0-rc8 #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1~cloud0 04/01/2014
RIP: 0010:kvm_irq_delivery_to_apic_fast+0x3dd/0x670 arch/x86/kvm/lapic.c:995
...
Call Trace:
<TASK>
kvm_irq_delivery_to_apic+0xb8/0x860 arch/x86/kvm/irq_comm.c:54
synic_set_irq+0x169/0x340 arch/x86/kvm/hyperv.c:463
synic_deliver_msg arch/x86/kvm/hyperv.c:770 [inline]
stimer_send_msg arch/x86/kvm/hyperv.c:793 [inline]
stimer_expiration arch/x86/kvm/hyperv.c:817 [inline]
kvm_hv_process_stimers+0xe85/0x1210 arch/x86/kvm/hyperv.c:849
vcpu_enter_guest+0x37cb/0x4070 arch/x86/kvm/x86.c:9947
vcpu_run arch/x86/kvm/x86.c:10261 [inline]
...
The immediate issue is that kvm_irq_delivery_to_apic_fast() dereferences
'src' while in some cases it can be NULL. A sentinel against this is added
in PATCH2 of the series, however, the condition should not happen in the
first place. synic_set_irq() should not call kvm_irq_delivery_to_apic() with
'shorthand = APIC_DEST_SELF' and 'vcpu->arch.apic == NULL' and this is also
'fixed' by PATCH1. The root cause of the problem, however, is that VMM was
allowed to enable Hyper-V synthetic timer when IRQ chip wasn't created.
This is fixed by PATCH3.
Vitaly Kuznetsov (3):
KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq
KVM: x86: Avoid theoretical NULL pointer dereference in
kvm_irq_delivery_to_apic_fast()
KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't
activated
arch/x86/kvm/hyperv.c | 12 +++++++++---
arch/x86/kvm/lapic.c | 4 ++++
2 files changed, 13 insertions(+), 3 deletions(-)
--
2.35.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 1/3] KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq
2022-03-25 13:21 [PATCH 0/3] KVM: x86: Prefent NULL prointer dereference in kvm_irq_delivery_to_apic_fast() Vitaly Kuznetsov
@ 2022-03-25 13:21 ` Vitaly Kuznetsov
2022-03-25 13:21 ` [PATCH 2/3] KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast() Vitaly Kuznetsov
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Vitaly Kuznetsov @ 2022-03-25 13:21 UTC (permalink / raw)
To: kvm, Paolo Bonzini
Cc: Sean Christopherson, Wanpeng Li, Jim Mattson, linux-kernel
When KVM_CAP_HYPERV_SYNIC{,2} is activated, KVM already checks for
irqchip_in_kernel() so normally SynIC irqs should never be set. It is,
however, possible for a misbehaving VMM to write to SYNIC/STIMER MSRs
causing erroneous behavior.
The immediate issue being fixed is that kvm_irq_delivery_to_apic()
(kvm_irq_delivery_to_apic_fast()) crashes when called with
'irq.shorthand = APIC_DEST_SELF' and 'src == NULL'.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
---
arch/x86/kvm/hyperv.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
index 7480e3562d30..a79a094c1266 100644
--- a/arch/x86/kvm/hyperv.c
+++ b/arch/x86/kvm/hyperv.c
@@ -453,6 +453,9 @@ static int synic_set_irq(struct kvm_vcpu_hv_synic *synic, u32 sint)
struct kvm_lapic_irq irq;
int ret, vector;
+ if (KVM_BUG_ON(!lapic_in_kernel(vcpu), vcpu->kvm))
+ return -EINVAL;
+
if (sint >= ARRAY_SIZE(synic->sint))
return -EINVAL;
--
2.35.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/3] KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast()
2022-03-25 13:21 [PATCH 0/3] KVM: x86: Prefent NULL prointer dereference in kvm_irq_delivery_to_apic_fast() Vitaly Kuznetsov
2022-03-25 13:21 ` [PATCH 1/3] KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq Vitaly Kuznetsov
@ 2022-03-25 13:21 ` Vitaly Kuznetsov
2022-03-25 13:21 ` [PATCH 3/3] KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated Vitaly Kuznetsov
2022-03-25 13:33 ` [PATCH 0/3] KVM: x86: Prefent NULL prointer dereference in kvm_irq_delivery_to_apic_fast() Paolo Bonzini
3 siblings, 0 replies; 5+ messages in thread
From: Vitaly Kuznetsov @ 2022-03-25 13:21 UTC (permalink / raw)
To: kvm, Paolo Bonzini
Cc: Sean Christopherson, Wanpeng Li, Jim Mattson, linux-kernel
When kvm_irq_delivery_to_apic_fast() is called with APIC_DEST_SELF
shorthand, 'src' must not be NULL. Crash the VM with KVM_BUG_ON()
instead of crashing the host.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
---
arch/x86/kvm/lapic.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 80a2020c4db4..66b0eb0bda94 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -1024,6 +1024,10 @@ bool kvm_irq_delivery_to_apic_fast(struct kvm *kvm, struct kvm_lapic *src,
*r = -1;
if (irq->shorthand == APIC_DEST_SELF) {
+ if (KVM_BUG_ON(!src, kvm)) {
+ *r = 0;
+ return true;
+ }
*r = kvm_apic_set_irq(src->vcpu, irq, dest_map);
return true;
}
--
2.35.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/3] KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated
2022-03-25 13:21 [PATCH 0/3] KVM: x86: Prefent NULL prointer dereference in kvm_irq_delivery_to_apic_fast() Vitaly Kuznetsov
2022-03-25 13:21 ` [PATCH 1/3] KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq Vitaly Kuznetsov
2022-03-25 13:21 ` [PATCH 2/3] KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast() Vitaly Kuznetsov
@ 2022-03-25 13:21 ` Vitaly Kuznetsov
2022-03-25 13:33 ` [PATCH 0/3] KVM: x86: Prefent NULL prointer dereference in kvm_irq_delivery_to_apic_fast() Paolo Bonzini
3 siblings, 0 replies; 5+ messages in thread
From: Vitaly Kuznetsov @ 2022-03-25 13:21 UTC (permalink / raw)
To: kvm, Paolo Bonzini
Cc: Sean Christopherson, Wanpeng Li, Jim Mattson, linux-kernel
Setting non-zero values to SYNIC/STIMER MSRs activates certain features,
this should not happen when KVM_CAP_HYPERV_SYNIC{,2} was not activated.
Note, it would've been better to forbid writing anything to SYNIC/STIMER
MSRs, including zeroes, however, at least QEMU tries clearing
HV_X64_MSR_STIMER0_CONFIG without SynIC. HV_X64_MSR_EOM MSR is somewhat
'special' as writing zero there triggers an action, this also should not
happen when SynIC wasn't activated.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
---
arch/x86/kvm/hyperv.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kvm/hyperv.c b/arch/x86/kvm/hyperv.c
index a79a094c1266..123b677111c5 100644
--- a/arch/x86/kvm/hyperv.c
+++ b/arch/x86/kvm/hyperv.c
@@ -243,7 +243,7 @@ static int synic_set_msr(struct kvm_vcpu_hv_synic *synic,
struct kvm_vcpu *vcpu = hv_synic_to_vcpu(synic);
int ret;
- if (!synic->active && !host)
+ if (!synic->active && (!host || data))
return 1;
trace_kvm_hv_synic_set_msr(vcpu->vcpu_id, msr, data, host);
@@ -289,6 +289,9 @@ static int synic_set_msr(struct kvm_vcpu_hv_synic *synic,
case HV_X64_MSR_EOM: {
int i;
+ if (!synic->active)
+ break;
+
for (i = 0; i < ARRAY_SIZE(synic->sint); i++)
kvm_hv_notify_acked_sint(vcpu, i);
break;
@@ -668,7 +671,7 @@ static int stimer_set_config(struct kvm_vcpu_hv_stimer *stimer, u64 config,
struct kvm_vcpu_hv *hv_vcpu = to_hv_vcpu(vcpu);
struct kvm_vcpu_hv_synic *synic = to_hv_synic(vcpu);
- if (!synic->active && !host)
+ if (!synic->active && (!host || config))
return 1;
if (unlikely(!host && hv_vcpu->enforce_cpuid && new_config.direct_mode &&
@@ -697,7 +700,7 @@ static int stimer_set_count(struct kvm_vcpu_hv_stimer *stimer, u64 count,
struct kvm_vcpu *vcpu = hv_stimer_to_vcpu(stimer);
struct kvm_vcpu_hv_synic *synic = to_hv_synic(vcpu);
- if (!synic->active && !host)
+ if (!synic->active && (!host || count))
return 1;
trace_kvm_hv_stimer_set_count(hv_stimer_to_vcpu(stimer)->vcpu_id,
--
2.35.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 0/3] KVM: x86: Prefent NULL prointer dereference in kvm_irq_delivery_to_apic_fast()
2022-03-25 13:21 [PATCH 0/3] KVM: x86: Prefent NULL prointer dereference in kvm_irq_delivery_to_apic_fast() Vitaly Kuznetsov
` (2 preceding siblings ...)
2022-03-25 13:21 ` [PATCH 3/3] KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated Vitaly Kuznetsov
@ 2022-03-25 13:33 ` Paolo Bonzini
3 siblings, 0 replies; 5+ messages in thread
From: Paolo Bonzini @ 2022-03-25 13:33 UTC (permalink / raw)
To: Vitaly Kuznetsov
Cc: kvm, Sean Christopherson, Wanpeng Li, Jim Mattson, linux-kernel
Queued, thanks.
Paolo
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-03-25 13:33 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-25 13:21 [PATCH 0/3] KVM: x86: Prefent NULL prointer dereference in kvm_irq_delivery_to_apic_fast() Vitaly Kuznetsov
2022-03-25 13:21 ` [PATCH 1/3] KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq Vitaly Kuznetsov
2022-03-25 13:21 ` [PATCH 2/3] KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast() Vitaly Kuznetsov
2022-03-25 13:21 ` [PATCH 3/3] KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated Vitaly Kuznetsov
2022-03-25 13:33 ` [PATCH 0/3] KVM: x86: Prefent NULL prointer dereference in kvm_irq_delivery_to_apic_fast() Paolo Bonzini
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.