Re: [PATCH] KVM: Fix UAF in nested posted interrupt processing

P J P <ppandit@xxxxxxxxxx> · Wed, 19 Dec 2018 00:06:15 +0530 (IST)

+-- On Tue, 18 Dec 2018, Cfir Cohen wrote --+
| Vulnerable code requires nested and enable_apicv variables to be set to
| true. The host CPU must also support posted interrupts.
| 
| Fixes: 5e2f30b756a37 "KVM: nVMX: get rid of nested_get_page()"
| Reviewed-by: Andy Honig <ahonig@xxxxxxxxxx>
| Signed-off-by: Cfir Cohen <cfir@xxxxxxxxxx>

Do we need to include CVE id in the commit log message?

| diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
| index 02edd9960e9d..8d5d984541be 100644
| --- a/arch/x86/kvm/vmx.c
| +++ b/arch/x86/kvm/vmx.c
| @@ -11985,6 +11985,8 @@ static void nested_get_vmcs12_pages(struct kvm_vcpu *vcpu)
|  			kunmap(vmx->nested.pi_desc_page);
|  			kvm_release_page_dirty(vmx->nested.pi_desc_page);
|  			vmx->nested.pi_desc_page = NULL;
| +			vmx->nested.pi_desc = NULL;
| +			vmcs_write64(POSTED_INTR_DESC_ADDR, -1ull);
|  		}
|  		page = kvm_vcpu_gpa_to_page(vcpu, vmcs12->posted_intr_desc_addr);
|  		if (is_error_page(page))

Looks good.

Thank you.
--
Prasad J Pandit / Red Hat Product Security Team
47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F