On 9/12/19 1:54 PM, Thomas Huth wrote: > When the userspace program runs the KVM_S390_INTERRUPT ioctl to inject > an interrupt, we convert them from the legacy struct kvm_s390_interrupt > to the new struct kvm_s390_irq via the s390int_to_s390irq() function. > However, this function does not take care of all types of interrupts > that we can inject into the guest later (see do_inject_vcpu()). Since we > do not clear out the s390irq values before calling s390int_to_s390irq(), > there is a chance that we copy random data from the kernel stack which > could be leaked to the userspace later. > > Specifically, the problem exists with the KVM_S390_INT_PFAULT_INIT > interrupt: s390int_to_s390irq() does not handle it, and the function > __inject_pfault_init() later copies irq->u.ext which contains the > random kernel stack data. This data can then be leaked either to > the guest memory in __deliver_pfault_init(), or the userspace might > retrieve it directly with the KVM_S390_GET_IRQ_STATE ioctl. > > Fix it by handling that interrupt type in s390int_to_s390irq(), too, > and by making sure that the s390irq struct is properly pre-initialized. > And while we're at it, make sure that s390int_to_s390irq() now > directly returns -EINVAL for unknown interrupt types, so that we > immediately get a proper error code in case we add more interrupt > types to do_inject_vcpu() without updating s390int_to_s390irq() > sometime in the future. > > Cc: stable@xxxxxxxxxxxxxxx > Reviewed-by: David Hildenbrand <david@xxxxxxxxxx> > Reviewed-by: Christian Borntraeger <borntraeger@xxxxxxxxxx> > Signed-off-by: Thomas Huth <thuth@xxxxxxxxxx> Reviewed-by: Janosch Frank <frankja@xxxxxxxxxxxxx>
Attachment:
signature.asc
Description: OpenPGP digital signature