On Mon, Jan 14, 2019 at 03:47:28PM -0800, Tom Roeder wrote: > This changes the allocation of cached_vmcs12 to use kzalloc instead of > kmalloc. This removes the information leak found by Syzkaller (see > Reported-by) in this case and prevents similar leaks from happening > based on cached_vmcs12. Is the leak specific to vmx_set_nested_state(), e.g. can we zero out the memory if copy_from_user() fails instead of taking the hit on every allocation? > The email from Syszkaller led to a discussion about a patch in early > November on the KVM list (I've made this a reply to that thread), but > the current upstream kernel still has kmalloc instead of kzalloc for > cached_vmcs12 and cached_shadow_vmcs12. This RFC proposes changing to > kzalloc for defense in depth. > > Tested: rebuilt but not tested, since this is an RFC > > Reported-by: syzbot+ded1696f6b50b615b630@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Tom Roeder <tmroeder@xxxxxxxxxx> > --- > arch/x86/kvm/vmx/nested.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c > index 2616bd2c7f2c7..ad46667042c7a 100644 > --- a/arch/x86/kvm/vmx/nested.c > +++ b/arch/x86/kvm/vmx/nested.c > @@ -4140,11 +4140,11 @@ static int enter_vmx_operation(struct kvm_vcpu *vcpu) > if (r < 0) > goto out_vmcs02; > > - vmx->nested.cached_vmcs12 = kmalloc(VMCS12_SIZE, GFP_KERNEL); > + vmx->nested.cached_vmcs12 = kzalloc(VMCS12_SIZE, GFP_KERNEL); > if (!vmx->nested.cached_vmcs12) > goto out_cached_vmcs12; Obviously not your code, but why do we allocate VMCS12_SIZE instead of sizeof(struct vmcs12)? I get why we require userspace to reserve the full 4k, but I don't understand why KVM needs to allocate the reserved bytes internally. > - vmx->nested.cached_shadow_vmcs12 = kmalloc(VMCS12_SIZE, GFP_KERNEL); > + vmx->nested.cached_shadow_vmcs12 = kzalloc(VMCS12_SIZE, GFP_KERNEL); > if (!vmx->nested.cached_shadow_vmcs12) > goto out_cached_shadow_vmcs12; > > -- > 2.20.1.97.g81188d93c3-goog >
