From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: KMSAN: kernel-infoleak in kvm_vcpu_write_guest_page
Date: Wed, 7 Nov 2018 13:47:58 +0100
Message-ID: <9d2e26fb-1d2a-248f-5451-ee95d8a6c017@redhat.com>
References: <0000000000005de8da057a092ba2@google.com>
 <CAG_fn=Wmc+YU8BMcY_RXxAvVTpAMez5QUFyQSH3UsRg4Y-ZwMQ@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Cc: kvm@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>,
        rkrcmar@redhat.com, syzkaller-bugs@googlegroups.com
To: Alexander Potapenko <glider@google.com>,
        syzbot+ded1696f6b50b615b630@syzkaller.appspotmail.com
Return-path: <linux-kernel-owner@vger.kernel.org>
In-Reply-To: <CAG_fn=Wmc+YU8BMcY_RXxAvVTpAMez5QUFyQSH3UsRg4Y-ZwMQ@mail.gmail.com>
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
List-Id: kvm.vger.kernel.org

On 07/11/2018 13:10, Alexander Potapenko wrote:
> This appears to be a real bug in KVM.
> Please see a simplified reproducer attached.

Thanks, I agree it's a reael bug.  The basic issue is that the
kvm_state->size member is too small (1040) in the KVM_SET_NESTED_STATE
ioctl, aka 0x4080aebf.

One way to fix it would be to just change kmalloc to kzalloc when
allocating cached_vmcs12 and cached_shadow_vmcs12, but really the ioctl
is wrong and should be rejected.  And the case where a shadow VMCS has
to be loaded is even more wrong, and we have to fix it anyway, so I
don't really like the idea of papering over the bug in the allocation.

I'll test this patch and submit it formally:

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index c645f777b425..c546f0b1f3e0 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -14888,10 +14888,13 @@ static int vmx_set_nested_state(struct
kvm_vcpu *vcpu,
 	if (ret)
 		return ret;

-	/* Empty 'VMXON' state is permitted */
-	if (kvm_state->size < sizeof(kvm_state) + sizeof(*vmcs12))
+	/* Empty 'VMXON' state is permitted.  A partial VMCS12 is not.  */
+	if (kvm_state->size == sizeof(kvm_state))
 		return 0;

+	if (kvm_state->size < sizeof(kvm_state) + VMCS12_SIZE)
+		return -EINVAL;
+
 	if (kvm_state->vmx.vmcs_pa != -1ull) {
 		if (kvm_state->vmx.vmcs_pa == kvm_state->vmx.vmxon_pa ||
 		    !page_address_valid(vcpu, kvm_state->vmx.vmcs_pa))
@@ -14917,6 +14920,7 @@ static int vmx_set_nested_state(struct kvm_vcpu
*vcpu,
 	}

 	vmcs12 = get_vmcs12(vcpu);
+	BUILD_BUG_ON(sizeof(*vmcs12) > VMCS12_SIZE);
 	if (copy_from_user(vmcs12, user_kvm_nested_state->data, sizeof(*vmcs12)))
 		return -EFAULT;

@@ -14932,7 +14936,7 @@ static int vmx_set_nested_state(struct kvm_vcpu
*vcpu,
 	if (nested_cpu_has_shadow_vmcs(vmcs12) &&
 	    vmcs12->vmcs_link_pointer != -1ull) {
 		struct vmcs12 *shadow_vmcs12 = get_shadow_vmcs12(vcpu);
-		if (kvm_state->size < sizeof(kvm_state) + 2 * sizeof(*vmcs12))
+		if (kvm_state->size < sizeof(kvm_state) + 2 * VMCS12_SIZE)
 			return -EINVAL;

 		if (copy_from_user(shadow_vmcs12,

Paolo