From: Matt Delco <delco@chromium.org>
To: Wanpeng Li <kernellwp@gmail.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
"Jim Mattson" <jmattson@google.com>,
"kvm list" <kvm@vger.kernel.org>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Sean Christopherson" <sean.j.christopherson@intel.com>,
"Vitaly Kuznetsov" <vkuznets@redhat.com>,
"Wanpeng Li" <wanpengli@tencent.com>,
"Joerg Roedel" <joro@8bytes.org>,
stable@vger.kernel.org
Subject: Re: [PATCH 1/3] KVM: Fix coalesced mmio ring buffer out-of-bounds access
Date: Tue, 17 Sep 2019 08:18:42 -0700 [thread overview]
Message-ID: <CAHGX9VoAnfFZYVmVw0AukXPhPTsVssPwofjOvmZqFfOube9SQg@mail.gmail.com> (raw)
In-Reply-To: <CALMp9eSNTvHsSn55iNfF1tUAdAihz_2d5-Hac1H6TnvHyos-SQ@mail.gmail.com>
On Tue, Sep 17, 2019 at 7:59 AM Jim Mattson <jmattson@google.com> wrote:
> On Tue, Sep 17, 2019 at 1:16 AM Wanpeng Li <kernellwp@gmail.com> wrote:
> > From: Wanpeng Li <wanpengli@tencent.com>
> >
> > Reported by syzkaller:
> >
> > #PF: supervisor write access in kernel mode
> > #PF: error_code(0x0002) - not-present page
> > PGD 403c01067 P4D 403c01067 PUD 0
> > Oops: 0002 [#1] SMP PTI
> > CPU: 1 PID: 12564 Comm: a.out Tainted: G OE 5.3.0-rc4+ #4
> > RIP: 0010:coalesced_mmio_write+0xcc/0x130 [kvm]
> > Call Trace:
> > __kvm_io_bus_write+0x91/0xe0 [kvm]
> > kvm_io_bus_write+0x79/0xf0 [kvm]
> > write_mmio+0xae/0x170 [kvm]
> > emulator_read_write_onepage+0x252/0x430 [kvm]
> > emulator_read_write+0xcd/0x180 [kvm]
> > emulator_write_emulated+0x15/0x20 [kvm]
> > segmented_write+0x59/0x80 [kvm]
> > writeback+0x113/0x250 [kvm]
> > x86_emulate_insn+0x78c/0xd80 [kvm]
> > x86_emulate_instruction+0x386/0x7c0 [kvm]
> > kvm_mmu_page_fault+0xf9/0x9e0 [kvm]
> > handle_ept_violation+0x10a/0x220 [kvm_intel]
> > vmx_handle_exit+0xbe/0x6b0 [kvm_intel]
> > vcpu_enter_guest+0x4dc/0x18d0 [kvm]
> > kvm_arch_vcpu_ioctl_run+0x407/0x660 [kvm]
> > kvm_vcpu_ioctl+0x3ad/0x690 [kvm]
> > do_vfs_ioctl+0xa2/0x690
> > ksys_ioctl+0x6d/0x80
> > __x64_sys_ioctl+0x1a/0x20
> > do_syscall_64+0x74/0x720
> > entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > RIP: 0010:coalesced_mmio_write+0xcc/0x130 [kvm]
> >
> > Both the coalesced_mmio ring buffer indexs ring->first and ring->last are
> > bigger than KVM_COALESCED_MMIO_MAX from the testcase, array out-of-bounds
> > access triggers by ring->coalesced_mmio[ring->last].phys_addr = addr;
> > assignment. This patch fixes it by mod indexs by KVM_COALESCED_MMIO_MAX.
> >
> > syzkaller source: https://syzkaller.appspot.com/x/repro.c?x=134b2826a00000
> >
> > Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
> > ---
> > virt/kvm/coalesced_mmio.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c
> > index 5294abb..cff1ec9 100644
> > --- a/virt/kvm/coalesced_mmio.c
> > +++ b/virt/kvm/coalesced_mmio.c
> > @@ -73,6 +73,8 @@ static int coalesced_mmio_write(struct kvm_vcpu *vcpu,
> >
> > spin_lock(&dev->kvm->ring_lock);
> >
> > + ring->first = ring->first % KVM_COALESCED_MMIO_MAX;
This update to first doesn't provide any worthwhile benefit (it's not
used to compute the address of a write) and likely adds the overhead
cost of a 2nd divide operation (via the non-power-of-2 modulus). If
first is invalid then the app and/or kernel will be confused about
whether the ring is empty or full, but no serious harm will occur (and
since the only write to first is by an app the app is only causing
harm to itself).
> > + ring->last = ring->last % KVM_COALESCED_MMIO_MAX;
>
> I don't think this is sufficient, since the memory that ring points to
> is shared with userspace. Userspace can overwrite your corrected
> values with illegal ones before they are used. Not exactly a TOCTTOU
> issue, since there isn't technically a 'check' here, but the same
> idea.
>
> > if (!coalesced_mmio_has_room(dev)) {
> > spin_unlock(&dev->kvm->ring_lock);
> > return -EOPNOTSUPP;
> > --
> > 2.7.4
> >
prev parent reply other threads:[~2019-09-17 15:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-17 8:16 [PATCH 1/3] KVM: Fix coalesced mmio ring buffer out-of-bounds access Wanpeng Li
2019-09-17 8:16 ` [PATCH v2 2/3] KVM: X86: Fix userspace set broken combinations of CPUID and CR4 Wanpeng Li
2019-09-17 17:32 ` Sean Christopherson
2019-09-18 9:56 ` Wanpeng Li
2019-09-24 13:55 ` Paolo Bonzini
2019-09-17 8:16 ` [PATCH v5 3/3] KVM: LAPIC: Tune lapic_timer_advance_ns smoothly Wanpeng Li
2019-09-17 17:07 ` Paolo Bonzini
2019-09-17 8:18 ` [PATCH 1/3] KVM: Fix coalesced mmio ring buffer out-of-bounds access Paolo Bonzini
2019-09-17 14:58 ` Jim Mattson
2019-09-17 15:18 ` Matt Delco [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHGX9VoAnfFZYVmVw0AukXPhPTsVssPwofjOvmZqFfOube9SQg@mail.gmail.com \
--to=delco@chromium.org \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=kernellwp@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=sean.j.christopherson@intel.com \
--cc=stable@vger.kernel.org \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).