From: James Hogan <james.hogan@imgtec.com>
To: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Greg Kurz <gkurz@linux.vnet.ibm.com>,
Paolo Bonzini <pbonzini@redhat.com>, <mingo@redhat.com>,
<linux-mips@linux-mips.org>, <kvm@vger.kernel.org>,
<linux-kernel@vger.kernel.org>, <qemu-ppc@nongnu.org>,
Cornelia Huck <cornelia.huck@de.ibm.com>,
Paul Mackerras <paulus@samba.org>,
David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH v3] KVM: remove buggy vcpu id check on vcpu creation
Date: Wed, 20 Apr 2016 18:09:24 +0100 [thread overview]
Message-ID: <20160420170924.GA7859@jhogan-linux.le.imgtec.org> (raw)
In-Reply-To: <20160420170209.GA11071@potion>
[-- Attachment #1: Type: text/plain, Size: 2254 bytes --]
On Wed, Apr 20, 2016 at 07:02:10PM +0200, Radim Krčmář wrote:
> 2016-04-20 17:44+0200, Greg Kurz:
> > Commit 338c7dbadd26 ("KVM: Improve create VCPU parameter (CVE-2013-4587)")
> > introduced a check to prevent potential kernel memory corruption in case
> > the vcpu id is too great.
> >
> > Unfortunately this check assumes vcpu ids grow in sequence with a common
> > difference of 1, which is wrong: archs are free to use vcpu id as they fit.
> > For example, QEMU originated vcpu ids for PowerPC cpus running in boot3s_hv
> > mode, can grow with a common difference of 2, 4 or 8: if KVM_MAX_VCPUS is
> > 1024, guests may be limited down to 128 vcpus on POWER8.
> >
> > This means the check does not belong here and should be moved to some arch
> > specific function: kvm_arch_vcpu_create() looks like a good candidate.
> >
> > ARM and s390 already have such a check.
> >
> > I could not spot any path in the PowerPC or common KVM code where a vcpu
> > id is used as described in the above commit: I believe PowerPC can live
> > without this check.
> >
> > In the end, this patch simply moves the check to MIPS and x86.
> >
> > Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
> > ---
> > v3: use ERR_PTR()
> >
> > arch/mips/kvm/mips.c | 7 ++++++-
> > arch/x86/kvm/x86.c | 3 +++
> > virt/kvm/kvm_main.c | 3 ---
> > 3 files changed, 9 insertions(+), 4 deletions(-)
> >
> > diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
> > index 70ef1a43c114..0278ea146db5 100644
> > --- a/arch/mips/kvm/mips.c
> > +++ b/arch/mips/kvm/mips.c
> > @@ -248,9 +248,14 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id)
> > int err, size, offset;
> > void *gebase;
> > int i;
> > + struct kvm_vcpu *vcpu;
> >
> > - struct kvm_vcpu *vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL);
> > + if (id >= KVM_MAX_VCPUS) {
> > + err = -EINVAL;
> > + goto out;
>
> 'vcpu' looks undefined at this point, so kfree in 'out:' may bug.
Thats out_free_cpu I think?
Cheers
James
> Just 'return ERR_PTR(-EINVAL)'?
>
> > + }
> >
> > + vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL);
> > if (!vcpu) {
> > err = -ENOMEM;
> > goto out;
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: James Hogan <james.hogan@imgtec.com>
To: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Greg Kurz <gkurz@linux.vnet.ibm.com>,
Paolo Bonzini <pbonzini@redhat.com>,
mingo@redhat.com, linux-mips@linux-mips.org, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, qemu-ppc@nongnu.org,
Cornelia Huck <cornelia.huck@de.ibm.com>,
Paul Mackerras <paulus@samba.org>,
David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH v3] KVM: remove buggy vcpu id check on vcpu creation
Date: Wed, 20 Apr 2016 18:09:24 +0100 [thread overview]
Message-ID: <20160420170924.GA7859@jhogan-linux.le.imgtec.org> (raw)
Message-ID: <20160420170924.jr30wSL3PO9wRVQFC69_4L2xbwQO1UCojZZNWhZ8niU@z> (raw)
In-Reply-To: <20160420170209.GA11071@potion>
[-- Attachment #1: Type: text/plain, Size: 2254 bytes --]
On Wed, Apr 20, 2016 at 07:02:10PM +0200, Radim Krčmář wrote:
> 2016-04-20 17:44+0200, Greg Kurz:
> > Commit 338c7dbadd26 ("KVM: Improve create VCPU parameter (CVE-2013-4587)")
> > introduced a check to prevent potential kernel memory corruption in case
> > the vcpu id is too great.
> >
> > Unfortunately this check assumes vcpu ids grow in sequence with a common
> > difference of 1, which is wrong: archs are free to use vcpu id as they fit.
> > For example, QEMU originated vcpu ids for PowerPC cpus running in boot3s_hv
> > mode, can grow with a common difference of 2, 4 or 8: if KVM_MAX_VCPUS is
> > 1024, guests may be limited down to 128 vcpus on POWER8.
> >
> > This means the check does not belong here and should be moved to some arch
> > specific function: kvm_arch_vcpu_create() looks like a good candidate.
> >
> > ARM and s390 already have such a check.
> >
> > I could not spot any path in the PowerPC or common KVM code where a vcpu
> > id is used as described in the above commit: I believe PowerPC can live
> > without this check.
> >
> > In the end, this patch simply moves the check to MIPS and x86.
> >
> > Signed-off-by: Greg Kurz <gkurz@linux.vnet.ibm.com>
> > ---
> > v3: use ERR_PTR()
> >
> > arch/mips/kvm/mips.c | 7 ++++++-
> > arch/x86/kvm/x86.c | 3 +++
> > virt/kvm/kvm_main.c | 3 ---
> > 3 files changed, 9 insertions(+), 4 deletions(-)
> >
> > diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
> > index 70ef1a43c114..0278ea146db5 100644
> > --- a/arch/mips/kvm/mips.c
> > +++ b/arch/mips/kvm/mips.c
> > @@ -248,9 +248,14 @@ struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, unsigned int id)
> > int err, size, offset;
> > void *gebase;
> > int i;
> > + struct kvm_vcpu *vcpu;
> >
> > - struct kvm_vcpu *vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL);
> > + if (id >= KVM_MAX_VCPUS) {
> > + err = -EINVAL;
> > + goto out;
>
> 'vcpu' looks undefined at this point, so kfree in 'out:' may bug.
Thats out_free_cpu I think?
Cheers
James
> Just 'return ERR_PTR(-EINVAL)'?
>
> > + }
> >
> > + vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL);
> > if (!vcpu) {
> > err = -ENOMEM;
> > goto out;
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2016-04-20 17:09 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-20 15:44 [PATCH v3] KVM: remove buggy vcpu id check on vcpu creation Greg Kurz
2016-04-20 16:10 ` James Hogan
2016-04-20 16:10 ` James Hogan
2016-04-20 16:48 ` Cornelia Huck
2016-04-21 13:24 ` David Hildenbrand
2016-04-20 17:02 ` Radim Krčmář
2016-04-20 17:09 ` James Hogan [this message]
2016-04-20 17:09 ` James Hogan
2016-04-20 17:27 ` Radim Krčmář
2016-04-20 17:53 ` Greg Kurz
2016-04-20 18:31 ` Radim Krčmář
2016-04-20 18:29 ` Radim Krčmář
2016-04-21 11:29 ` Greg Kurz
2016-04-21 11:29 ` Greg Kurz
2016-04-21 12:26 ` Cornelia Huck
2016-04-21 13:05 ` Greg Kurz
2016-04-21 13:22 ` David Hildenbrand
2016-04-21 15:29 ` Radim Krčmář
2016-04-21 15:49 ` Greg Kurz
2016-04-21 16:08 ` Radim Krčmář
2016-04-21 17:18 ` Greg Kurz
2016-04-21 17:39 ` Radim Krčmář
2016-04-21 18:08 ` Greg Kurz
2016-04-22 1:40 ` Wanpeng Li
2016-04-22 13:07 ` Radim Krčmář
2016-04-23 22:54 ` Wanpeng Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160420170924.GA7859@jhogan-linux.le.imgtec.org \
--to=james.hogan@imgtec.com \
--cc=cornelia.huck@de.ibm.com \
--cc=david@gibson.dropbear.id.au \
--cc=gkurz@linux.vnet.ibm.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=mingo@redhat.com \
--cc=paulus@samba.org \
--cc=pbonzini@redhat.com \
--cc=qemu-ppc@nongnu.org \
--cc=rkrcmar@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.