From: Will Deacon <will@kernel.org>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org, kernellwp@gmail.com,
linux-kernel@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"# 5 . 2 . y" <stable@kernel.org>
Subject: Re: [PATCH] kvm: Ensure writes to the coalesced MMIO ring are within bounds
Date: Wed, 18 Sep 2019 14:59:33 +0100 [thread overview]
Message-ID: <20190918135932.aitmvncwujmjnwyr@willie-the-truck> (raw)
In-Reply-To: <9d993b71-4f2d-4d6e-39c9-f2ef849f5e5f@redhat.com>
On Wed, Sep 18, 2019 at 03:41:40PM +0200, Paolo Bonzini wrote:
> On 18/09/19 15:15, Will Deacon wrote:
> > When records are written to the coalesced MMIO ring in response to a
> > vCPU MMIO exit, the 'ring->last' field is used to index the ring buffer
> > page. Although we hold the 'kvm->ring_lock' at this point, the ring
> > structure is mapped directly into the host userspace and can therefore
> > be modified to point at arbitrary pages within the kernel.
> >
> > Since this shouldn't happen in normal operation, simply bound the index
> > by KVM_COALESCED_MMIO_MAX to contain the accesses within the ring buffer
> > page.
> >
> > Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Cc: Paolo Bonzini <pbonzini@redhat.com>
> > Cc: <stable@kernel.org> # 5.2.y
> > Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)")
> > Reported-by: Bill Creasey <bcreasey@google.com>
> > Signed-off-by: Will Deacon <will@kernel.org>
> > ---
> >
> > I think there are some other fixes kicking around for this, but they
> > still rely on 'ring->last' being stable, which isn't necessarily the
> > case. I'll send the -stable backport for kernels prior to 5.2 once this
> > hits mainline.
>
> Google's patch, which checks if ring->last is not in range and fails
> with -EOPNOTSUPP if not, is slightly better. I'll send it in a second
> and Cc you (and also send it as a pull request to Linus).
Okey doke, as long as it gets fixed! My minor concerns with the error-checking
variant are:
* Whether or not you need a READ_ONCE to prevent the compiler potentially
reloading 'ring->last' after validation
* Whether or not this could be part of a spectre-v1 gadget
so, given that I don't think the malicious host deserves an error code if it
starts writing the 'last' index, I went with the "obviously safe" version.
But up to you.
Will
next prev parent reply other threads:[~2019-09-18 13:59 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-18 13:15 [PATCH] kvm: Ensure writes to the coalesced MMIO ring are within bounds Will Deacon
2019-09-18 13:30 ` Greg Kroah-Hartman
2019-09-18 13:41 ` Paolo Bonzini
2019-09-18 13:59 ` Will Deacon [this message]
2019-09-18 14:11 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190918135932.aitmvncwujmjnwyr@willie-the-truck \
--to=will@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=kernellwp@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).