On Fri, Jul 19, 2024, Mirsad Todorovac wrote:
> Hi, all!
>
> Here is another potential NULL pointer dereference in kvm subsystem of linux
> stable vanilla 6.10, as GCC 12.3.0 complains.
>
> (Please don't throw stuff at me, I think this is the last one for today :-)
>
> arch/x86/include/asm/mshyperv.h
> -------------------------------
> 242 static inline struct hv_vp_assist_page *hv_get_vp_assist_page(unsigned int cpu)
> 243 {
> 244 if (!hv_vp_assist_page)
> 245 return NULL;
> 246
> 247 return hv_vp_assist_page[cpu];
> 248 }
>
> arch/x86/kvm/vmx/vmx_onhyperv.h
> -------------------------------
> 102 static inline void evmcs_load(u64 phys_addr)
> 103 {
> 104 struct hv_vp_assist_page *vp_ap =
> 105 hv_get_vp_assist_page(smp_processor_id());
> 106
> 107 if (current_evmcs->hv_enlightenments_control.nested_flush_hypercall)
> 108 vp_ap->nested_control.features.directhypercall = 1;
> 109 vp_ap->current_nested_vmcs = phys_addr;
> 110 vp_ap->enlighten_vmentry = 1;
> 111 }
>
> Now, this one is simple:
Nope :-)
> hv_vp_assist_page(cpu) can return NULL, and in line 104 it is assigned to
> wp_ap, which is dereferenced in lines 108, 109, and 110, which is not checked
> against returning NULL by hv_vp_assist_page().
When enabling eVMCS, and when onlining a CPU with eVMCS enabled, KVM verifies
that every CPU has a valid hv_vp_assist_page() and either aborts enabling eVMCS
or rejects CPU onlining. So very subtly, it's impossible for hv_vp_assist_page()
to be NULL at evmcs_load().
