From: Marcelo Tosatti <mtosatti@redhat.com>
To: Jan Kiszka <jan.kiszka@web.de>
Cc: kvm-devel <kvm@vger.kernel.org>, Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: KVM: VMX: fix use after free of vmx->loaded_vmcs
Date: Fri, 3 Jan 2014 17:36:28 -0200 [thread overview]
Message-ID: <20140103193628.GA17605@amt.cnet> (raw)
In-Reply-To: <52C70F0B.7020406@web.de>
On Fri, Jan 03, 2014 at 08:27:07PM +0100, Jan Kiszka wrote:
> On 2014-01-03 20:00, Marcelo Tosatti wrote:
> >
> > After free_loaded_vmcs executes, the "loaded_vmcs" structure
> > is kfreed, and now vmx->loaded_vmcs points to a kfreed area.
> > Subsequent free_loaded_vmcs then attempts to manipulate
> > vmx->loaded_vmcs.
>
> Cannot follow yet. How precisely do we call free_loaded_vmcs twice on
> the same loaded_vmcs?
You don't:
nested_free_all_saved_vmcss calls kfree(item). item is struct
vmcs02_list *, which is:
/* Used to remember the last vmcs02 used for some recently used vmcs12s
* */
struct vmcs02_list {
struct list_head list;
gpa_t vmptr;
struct loaded_vmcs vmcs02;
};
And vmx->loaded_vmcs = &item->vmcs02.
> I thought the frees triggered by free_nested ->
> nested_free_all_saved_vmcss stay away from vmx->loaded_vmcs, no?
Stays away as far as free_loaded_vmcs, yes.
Except it frees the structure pointed to by vmx->loaded_vmcs.
The separate question is about when is vmcs01 ever allocated again
if freed by nested_free_all_saved_vmcss (the other email).
> Jan
>
> >
> > Switch the order to avoid the problem.
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=1047892
> >
> > Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
> >
> > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> > index da7837e..2efa33f0 100644
> > --- a/arch/x86/kvm/vmx.c
> > +++ b/arch/x86/kvm/vmx.c
> > @@ -7332,8 +7332,8 @@ static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
> > struct vcpu_vmx *vmx = to_vmx(vcpu);
> >
> > free_vpid(vmx);
> > - free_nested(vmx);
> > free_loaded_vmcs(vmx->loaded_vmcs);
> > + free_nested(vmx);
> > kfree(vmx->guest_msrs);
> > kvm_vcpu_uninit(vcpu);
> > kmem_cache_free(kvm_vcpu_cache, vmx);
> >
>
>
next prev parent reply other threads:[~2014-01-03 19:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-03 19:00 KVM: VMX: fix use after free of vmx->loaded_vmcs Marcelo Tosatti
2014-01-03 19:27 ` Jan Kiszka
2014-01-03 19:36 ` Marcelo Tosatti [this message]
2014-01-03 19:54 ` Jan Kiszka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140103193628.GA17605@amt.cnet \
--to=mtosatti@redhat.com \
--cc=jan.kiszka@web.de \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.