* [PATCH] KVM: coalesced_mmio: add bounds checking
@ 2019-09-18 14:01 Paolo Bonzini
2019-09-18 14:09 ` Greg KH
2019-09-18 15:20 ` Will Deacon
0 siblings, 2 replies; 3+ messages in thread
From: Paolo Bonzini @ 2019-09-18 14:01 UTC (permalink / raw)
To: linux-kernel, kvm
Cc: will, kernellwp, gregkh, Matt Delco, stable, Jim Mattson
From: Matt Delco <delco@chromium.org>
The first/last indexes are typically shared with a user app.
The app can change the 'last' index that the kernel uses
to store the next result. This change sanity checks the index
before using it for writing to a potentially arbitrary address.
This fixes CVE-2019-14821.
Cc: stable@vger.kernel.org
Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)")
Signed-off-by: Matt Delco <delco@chromium.org>
Signed-off-by: Jim Mattson <jmattson@google.com>
Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
[Use READ_ONCE. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
virt/kvm/coalesced_mmio.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c
index 5294abb3f178..8ffd07e2a160 100644
--- a/virt/kvm/coalesced_mmio.c
+++ b/virt/kvm/coalesced_mmio.c
@@ -40,7 +40,7 @@ static int coalesced_mmio_in_range(struct kvm_coalesced_mmio_dev *dev,
return 1;
}
-static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
+static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last)
{
struct kvm_coalesced_mmio_ring *ring;
unsigned avail;
@@ -52,7 +52,7 @@ static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
* there is always one unused entry in the buffer
*/
ring = dev->kvm->coalesced_mmio_ring;
- avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX;
+ avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX;
if (avail == 0) {
/* full */
return 0;
@@ -67,25 +67,28 @@ static int coalesced_mmio_write(struct kvm_vcpu *vcpu,
{
struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
+ __u32 insert;
if (!coalesced_mmio_in_range(dev, addr, len))
return -EOPNOTSUPP;
spin_lock(&dev->kvm->ring_lock);
- if (!coalesced_mmio_has_room(dev)) {
+ insert = READ_ONCE(ring->last);
+ if (!coalesced_mmio_has_room(dev, insert) ||
+ insert >= KVM_COALESCED_MMIO_MAX) {
spin_unlock(&dev->kvm->ring_lock);
return -EOPNOTSUPP;
}
/* copy data in first free entry of the ring */
- ring->coalesced_mmio[ring->last].phys_addr = addr;
- ring->coalesced_mmio[ring->last].len = len;
- memcpy(ring->coalesced_mmio[ring->last].data, val, len);
- ring->coalesced_mmio[ring->last].pio = dev->zone.pio;
+ ring->coalesced_mmio[insert].phys_addr = addr;
+ ring->coalesced_mmio[insert].len = len;
+ memcpy(ring->coalesced_mmio[insert].data, val, len);
+ ring->coalesced_mmio[insert].pio = dev->zone.pio;
smp_wmb();
- ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX;
+ ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX;
spin_unlock(&dev->kvm->ring_lock);
return 0;
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] KVM: coalesced_mmio: add bounds checking
2019-09-18 14:01 [PATCH] KVM: coalesced_mmio: add bounds checking Paolo Bonzini
@ 2019-09-18 14:09 ` Greg KH
2019-09-18 15:20 ` Will Deacon
1 sibling, 0 replies; 3+ messages in thread
From: Greg KH @ 2019-09-18 14:09 UTC (permalink / raw)
To: Paolo Bonzini
Cc: linux-kernel, kvm, will, kernellwp, Matt Delco, stable, Jim Mattson
On Wed, Sep 18, 2019 at 04:01:42PM +0200, Paolo Bonzini wrote:
> From: Matt Delco <delco@chromium.org>
>
> The first/last indexes are typically shared with a user app.
> The app can change the 'last' index that the kernel uses
> to store the next result. This change sanity checks the index
> before using it for writing to a potentially arbitrary address.
>
> This fixes CVE-2019-14821.
>
> Cc: stable@vger.kernel.org
> Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)")
> Signed-off-by: Matt Delco <delco@chromium.org>
> Signed-off-by: Jim Mattson <jmattson@google.com>
> Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
> [Use READ_ONCE. - Paolo]
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
> virt/kvm/coalesced_mmio.c | 19 +++++++++++--------
> 1 file changed, 11 insertions(+), 8 deletions(-)
Also looks good to me.
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] KVM: coalesced_mmio: add bounds checking
2019-09-18 14:01 [PATCH] KVM: coalesced_mmio: add bounds checking Paolo Bonzini
2019-09-18 14:09 ` Greg KH
@ 2019-09-18 15:20 ` Will Deacon
1 sibling, 0 replies; 3+ messages in thread
From: Will Deacon @ 2019-09-18 15:20 UTC (permalink / raw)
To: Paolo Bonzini
Cc: linux-kernel, kvm, kernellwp, gregkh, Matt Delco, stable, Jim Mattson
On Wed, Sep 18, 2019 at 04:01:42PM +0200, Paolo Bonzini wrote:
> From: Matt Delco <delco@chromium.org>
>
> The first/last indexes are typically shared with a user app.
> The app can change the 'last' index that the kernel uses
> to store the next result. This change sanity checks the index
> before using it for writing to a potentially arbitrary address.
>
> This fixes CVE-2019-14821.
>
> Cc: stable@vger.kernel.org
> Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)")
> Signed-off-by: Matt Delco <delco@chromium.org>
> Signed-off-by: Jim Mattson <jmattson@google.com>
> Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
> [Use READ_ONCE. - Paolo]
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
> virt/kvm/coalesced_mmio.c | 19 +++++++++++--------
> 1 file changed, 11 insertions(+), 8 deletions(-)
Acked-by: Will Deacon <will@kernel.org>
Will
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-09-18 15:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-18 14:01 [PATCH] KVM: coalesced_mmio: add bounds checking Paolo Bonzini
2019-09-18 14:09 ` Greg KH
2019-09-18 15:20 ` Will Deacon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).