Re: [PATCH] KVM: Fix stack-out-of-bounds read in write_mmio

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/01/2018 13:14, Greg KH wrote:
> On Tue, Jan 09, 2018 at 07:24:27AM -0800, sawlani@xxxxxxxxxx wrote:
>> From: Pradeep Sawlani <sawlani@xxxxxxxxxx>
>>
>> commit e39d200fa5bf5b94a0948db0dae44c1b73b84a56 upstream.
>>
>> Reported by syzkaller:
>>
>>   BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
>>   Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
>>
>>   CPU: 6 PID: 32298 Comm: syz-executor Tainted: G           OE    4.15.0-rc2+ #18
>>   Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
>>   Call Trace:
>>    dump_stack+0xab/0xe1
>>    print_address_description+0x6b/0x290
>>    kasan_report+0x28a/0x370
>>    write_mmio+0x11e/0x270 [kvm]
>>    emulator_read_write_onepage+0x311/0x600 [kvm]
>>    emulator_read_write+0xef/0x240 [kvm]
>>    emulator_fix_hypercall+0x105/0x150 [kvm]
>>    em_hypercall+0x2b/0x80 [kvm]
>>    x86_emulate_insn+0x2b1/0x1640 [kvm]
>>    x86_emulate_instruction+0x39a/0xb90 [kvm]
>>    handle_exception+0x1b4/0x4d0 [kvm_intel]
>>    vcpu_enter_guest+0x15a0/0x2640 [kvm]
>>    kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
>>    kvm_vcpu_ioctl+0x479/0x880 [kvm]
>>    do_vfs_ioctl+0x142/0x9a0
>>    SyS_ioctl+0x74/0x80
>>    entry_SYSCALL_64_fastpath+0x23/0x9a
>>
>> The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
>> to the guest memory, however, write_mmio tracepoint always prints 8 bytes
>> through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
>> leaks 5 bytes from the kernel stack (CVE-2017-17741).  This patch fixes
>> it by just accessing the bytes which we operate on.
>>
>> Before patch:
>>
>> syz-executor-5567  [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
>>
>> After patch:
>>
>> syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
>>
>> Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
>> Reviewed-by: Darren Kenny <darren.kenny@xxxxxxxxxx>
>> Reviewed-by: Marc Zyngier <marc.zyngier@xxxxxxx>
>> Tested-by: Marc Zyngier <marc.zyngier@xxxxxxx>
>> Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
>> Cc: Radim Krčmář <rkrcmar@xxxxxxxxxx>
>> Cc: Marc Zyngier <marc.zyngier@xxxxxxx>
>> Cc: Christoffer Dall <christoffer.dall@xxxxxxxxxx>
>> Signed-off-by: Wanpeng Li <wanpeng.li@xxxxxxxxxxx>
>> Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
>> Signed-off-by: Pradeep Sawlani <sawlani@xxxxxxxxxx>
>> ---
>>  arch/arm/kvm/mmio.c        | 6 +++---
>>  arch/x86/kvm/x86.c         | 8 ++++----
>>  include/trace/events/kvm.h | 7 +++++--
>>  3 files changed, 12 insertions(+), 9 deletions(-)
> 
> What stable kernel(s) do you want this applied to?

This is a kernel memory leak, I think it only really matters in kernels
that have unprivileged eBPF.  But that went in for 4.4, so all of
4.4/4.9/4.14.

Thanks,

Paolo



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]