AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-02-05 03:35:55 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
c2dd5146e9
linux_dsm_epyc7002/arch/x86/kvm
History
Cfir Cohen c2dd5146e9 KVM: Fix UAF in nested posted interrupt processing 
nested_get_vmcs12_pages() processes the posted_intr address in vmcs12. It
caches the kmap()ed page object and pointer, however, it doesn't handle
errors correctly: it's possible to cache a valid pointer, then release
the page and later dereference the dangling pointer.

I was able to reproduce with the following steps:

1. Call vmlaunch with valid posted_intr_desc_addr but an invalid
MSR_EFER. This causes nested_get_vmcs12_pages() to cache the kmap()ed
pi_desc_page and pi_desc. Later the invalid EFER value fails
check_vmentry_postreqs() which fails the first vmlaunch.

2. Call vmlanuch with a valid EFER but an invalid posted_intr_desc_addr
(I set it to 2G - 0x80). The second time we call nested_get_vmcs12_pages
pi_desc_page is unmapped and released and pi_desc_page is set to NULL
(the "shouldn't happen" clause). Due to the invalid
posted_intr_desc_addr, kvm_vcpu_gpa_to_page() fails and
nested_get_vmcs12_pages() returns. It doesn't return an error value so
vmlaunch proceeds. Note that at this time we have a dangling pointer in
vmx->nested.pi_desc and POSTED_INTR_DESC_ADDR in L0's vmcs.

3. Issue an IPI in L2 guest code. This triggers a call to
vmx_complete_nested_posted_interrupt() and pi_test_and_clear_on() which
dereferences the dangling pointer.

Vulnerable code requires nested and enable_apicv variables to be set to
true. The host CPU must also support posted interrupts.

Fixes: 5e2f30b756 "KVM: nVMX: get rid of nested_get_page()"
Cc: stable@vger.kernel.org
Reviewed-by: Andy Honig <ahonig@google.com>
Signed-off-by: Cfir Cohen <cfir@google.com>
Reviewed-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2018-12-18 22:15:34 +01:00
..
cpuid.c KVM: X86: Implement "send IPI" hypercall 2018-08-06 17:59:20 +02:00
cpuid.h KVM/x86: Update the reverse_cpuid list to include CPUID_7_EDX 2018-02-03 23:06:51 +01:00
debugfs.c kvm: x86: export TSC information to user-space 2016-09-16 16:57:48 +02:00
emulate.c x86: Clean up 'sizeof x' => 'sizeof(x)' 2018-10-29 07:13:28 +01:00
hyperv.c x86/kvm/hyperv: don't clear VP assist pages on init 2018-10-17 00:30:17 +02:00
hyperv.h KVM: hyperv: define VP assist page helpers 2018-10-17 00:30:13 +02:00
i8254.c KVM: x86: take slots_lock in kvm_free_pit 2017-07-12 22:38:26 +02:00
i8254.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
i8259.c KVM: x86: simplify pic_ioport_read() 2017-04-12 20:17:15 +02:00
ioapic.c KVM: x86: ioapic: Preserve read-only values in the redirection table 2017-11-17 13:20:21 +01:00
ioapic.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
irq_comm.c KVM: x86: don't hold kvm->lock in KVM_SET_GSI_ROUTING 2017-05-02 14:45:45 +02:00
irq.c KVM: x86: Rename interrupt.pending to interrupt.injected 2018-03-28 22:47:06 +02:00
irq.h KVM: x86: don't hold kvm->lock in KVM_SET_GSI_ROUTING 2017-05-02 14:45:45 +02:00
Kconfig x86/kvm/Kconfig: Ensure CRYPTO_DEV_CCP_DD state at minimum matches KVM_AMD 2018-07-15 17:36:57 +02:00
kvm_cache_regs.h KVM: nVMX: Do not load EOI-exitmap while running L2 2018-03-21 14:16:44 +01:00
lapic.c KVM: x86: fix empty-body warnings 2018-11-27 12:50:09 +01:00
lapic.h KVM: hyperv: define VP assist page helpers 2018-10-17 00:30:13 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mmu_audit.c x86/kvm/mmu: make vcpu->mmu a pointer to the current MMU 2018-10-17 00:30:02 +02:00
mmu.c kvm: mmu: Fix race in emulated page table writes 2018-11-27 12:50:31 +01:00
mmu.h x86/kvm/mmu: make vcpu->mmu a pointer to the current MMU 2018-10-17 00:30:02 +02:00
mmutrace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mtrr.c KVM: x86: generalize guest_cpuid_has_ helpers 2017-08-07 16:11:50 +02:00
page_track.c treewide: kvzalloc() -> kvcalloc() 2018-06-12 16:19:22 -07:00
paging_tmpl.h x86/kvm/mmu: make vcpu->mmu a pointer to the current MMU 2018-10-17 00:30:02 +02:00
pmu_amd.c KVM: x86: Add support for AMD Core Perf Extension in guest 2018-03-16 22:01:28 +01:00
pmu_intel.c KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh() 2017-05-19 19:59:27 +02:00
pmu.c KVM: x86: Add support for VMware backdoor Pseudo-PMCs 2018-03-16 22:02:01 +01:00
pmu.h KVM: x86: Add support for VMware backdoor Pseudo-PMCs 2018-03-16 22:02:01 +01:00
svm.c kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb 2018-11-27 12:50:42 +01:00
trace.h KVM: x86: hyperv: implement PV IPI send hypercalls 2018-10-17 00:29:47 +02:00
tss.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
vmx_evmcs.h x86/kvm: use Enlightened VMCS when running on Hyper-V 2018-03-28 22:47:06 +02:00
vmx_shadow_fields.h x86/kvm/nVMX: tweak shadow fields 2018-10-19 18:45:14 +02:00
vmx.c KVM: Fix UAF in nested posted interrupt processing 2018-12-18 22:15:34 +01:00
x86.c KVM: nVMX/nSVM: Fix bug which sets vcpu->arch.tsc_offset to L1 tsc_offset 2018-11-27 12:50:10 +01:00
x86.h kvm: x86: Defer setting of CR2 until #PF delivery 2018-10-17 19:07:43 +02:00