All of lore.kernel.org
 help / color / mirror / Atom feed
From: Michael Ellerman <mpe@ellerman.id.au>
To: oss-security@lists.openwall.com
Cc: linuxppc-dev@lists.ozlabs.org
Subject: Linux kernel: powerpc: KVM guest to host memory corruption
Date: Mon, 26 Jul 2021 19:13:25 +1000	[thread overview]
Message-ID: <87im0x1lqi.fsf@mpe.ellerman.id.au> (raw)

The Linux kernel for powerpc since v3.10 has a bug which allows a malicious KVM guest to
corrupt host memory.

In the handling of the H_RTAS hypercall, args.rets is made to point into the args.args
buffer which is located on the stack:

	args.rets = &args.args[be32_to_cpu(args.nargs)];

However args.nargs has not been range checked. That allows the guest to point args.rets
anywhere up to +16GB from args.args.

The guest does not have control of what is written to args.rets, it is always (u32)-3,
because subsequent code does check nargs. Additionally the guest will be killed as a
result of the nargs being out of range, so a given guest only has a single shot at
corrupting memory.

Only machines using Linux as the hypervisor, aka. KVM or bare metal, are affected by the
bug.

The bug was introduced in:

    8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls")

Which was first released in v3.10.

The upstream fix is:

  f62f3c20647e ("KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow")

  https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a

Which will be included in the v5.14 release.

cheers

             reply	other threads:[~2021-07-26  9:14 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-26  9:13 Michael Ellerman [this message]
2021-07-27  0:46 ` Linux kernel: powerpc: KVM guest to host memory corruption Michael Ellerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87im0x1lqi.fsf@mpe.ellerman.id.au \
    --to=mpe@ellerman.id.au \
    --cc=linuxppc-dev@lists.ozlabs.org \
    --cc=oss-security@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.