From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mm01.cs.columbia.edu (mm01.cs.columbia.edu [128.59.11.253]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4D2D3ECAAD3 for ; Fri, 9 Sep 2022 10:04:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id AD5D74CAF4; Fri, 9 Sep 2022 06:04:49 -0400 (EDT) X-Virus-Scanned: at lists.cs.columbia.edu Authentication-Results: mm01.cs.columbia.edu (amavisd-new); dkim=softfail (fail, message has been altered) header.i=@linux.dev Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WIsCI4ojRdw4; Fri, 9 Sep 2022 06:04:48 -0400 (EDT) Received: from mm01.cs.columbia.edu (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id 3BBED4CA52; Fri, 9 Sep 2022 06:04:48 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mm01.cs.columbia.edu (Postfix) with ESMTP id A7E2E4CA34 for ; Fri, 9 Sep 2022 06:04:46 -0400 (EDT) X-Virus-Scanned: at lists.cs.columbia.edu Received: from mm01.cs.columbia.edu ([127.0.0.1]) by localhost (mm01.cs.columbia.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CgK8iE0s0q6H for ; Fri, 9 Sep 2022 06:04:45 -0400 (EDT) Received: from out1.migadu.com (out1.migadu.com [91.121.223.63]) by mm01.cs.columbia.edu (Postfix) with ESMTPS id 6A9C74C91D for ; Fri, 9 Sep 2022 06:04:45 -0400 (EDT) Date: Fri, 9 Sep 2022 11:04:37 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1662717884; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=xAYIHP+5okh1OBy0npVyjWSJCHPvarSH75P9UOmP2gY=; b=Xc4YtLmnMk9UMIltU2T6jAMcxCVLjBTM6REusu7WFdxNshnChTBrhcb7ICp6jdLMTCmKwm 9w0kU7AqzOeD5t2eWDxeP3ew40EYNzn/C7oDpICH04pNMes3iaQJBedEW7zAv+E5be5Ndc cuJg4M4g8qPjMkt3n4MrAXyJ734Mbj4= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Oliver Upton To: Quentin Perret Subject: Re: [PATCH 02/14] KVM: arm64: Tear down unlinked stage-2 subtree after break-before-make Message-ID: References: <20220830194132.962932-1-oliver.upton@linux.dev> <20220830194132.962932-3-oliver.upton@linux.dev> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Migadu-Flow: FLOW_OUT X-Migadu-Auth-User: linux.dev Cc: kvm@vger.kernel.org, Marc Zyngier , Ben Gardon , linux-kernel@vger.kernel.org, Catalin Marinas , David Matlack , Paolo Bonzini , Will Deacon , kvmarm@lists.cs.columbia.edu, linux-arm-kernel@lists.infradead.org X-BeenThere: kvmarm@lists.cs.columbia.edu X-Mailman-Version: 2.1.14 Precedence: list List-Id: Where KVM/ARM decisions are made List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kvmarm-bounces@lists.cs.columbia.edu Sender: kvmarm-bounces@lists.cs.columbia.edu On Tue, Sep 06, 2022 at 02:35:47PM +0000, Quentin Perret wrote: > Hi Oliver, > > On Tuesday 30 Aug 2022 at 19:41:20 (+0000), Oliver Upton wrote: > > static int stage2_map_walk_table_pre(u64 addr, u64 end, u32 level, > > kvm_pte_t *ptep, > > struct stage2_map_data *data) > > { > > - if (data->anchor) > > - return 0; > > + struct kvm_pgtable_mm_ops *mm_ops = data->mm_ops; > > + kvm_pte_t *childp = kvm_pte_follow(*ptep, mm_ops); > > + struct kvm_pgtable *pgt = data->mmu->pgt; > > + int ret; > > > > if (!stage2_leaf_mapping_allowed(addr, end, level, data)) > > return 0; > > > > - data->childp = kvm_pte_follow(*ptep, data->mm_ops); > > kvm_clear_pte(ptep); > > > > /* > > @@ -782,8 +786,13 @@ static int stage2_map_walk_table_pre(u64 addr, u64 end, u32 level, > > * individually. > > */ > > kvm_call_hyp(__kvm_tlb_flush_vmid, data->mmu); > > - data->anchor = ptep; > > - return 0; > > + > > + ret = stage2_map_walk_leaf(addr, end, level, ptep, data); > > + > > + mm_ops->put_page(ptep); > > + mm_ops->free_removed_table(childp, level + 1, pgt); > > By the look of it, __kvm_pgtable_visit() has saved the table PTE on the > stack prior to calling the TABLE_PRE callback, and it then uses the PTE > from its stack and does kvm_pte_follow() to find the childp, and walks > from there. Would that be a UAF now? Sure would, I suppose the actual UAF is hidden by the use of RCU later in the series. Nonetheless, I'm going to adopt David's suggestion of just rereading the PTE which should tidy this up. Thanks for catching this. -- Best, Oliver _______________________________________________ kvmarm mailing list kvmarm@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/kvmarm From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 6BA4CECAAD3 for ; Fri, 9 Sep 2022 10:05:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=ZCi3Kwi/pNTYXvJZTQUZ1t6NnITtnYLh3esmeHIGGr8=; b=Yu6LewA4c8iPJ4 lbJDy8kUjKEG9Sof3KZD8NbKiUubsvZ/o/rIb1FmQuZE2asyQyDZnq88DHgVvUOE0qGRy5WpJ+KtE +MXuHeoZXhqHwg/ko6d02LrxJ+7TjGp+wTtyUBNtpOMoWvZ+GOMYmWjOpST089OjYbaNkdMQQvJey n7crOwty7HL4JCEneAsM6j9pdzE9Yfg7u4wX/0DEVsrEsH2WLLndc59uvpjGsAoHzVypduU4RRXZA TazQcdy2TKiaJt9YqS4s1qMpT1H6vH4p3Qs6ArKO7o1dqdzBcf0k+jiCuL0SWXcUtlE3XO7t8INol vcugfGEgPd8UuBmUO33A==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oWasW-00FEj4-08; Fri, 09 Sep 2022 10:04:52 +0000 Received: from out1.migadu.com ([91.121.223.63]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oWasT-00FEi7-2k for linux-arm-kernel@lists.infradead.org; Fri, 09 Sep 2022 10:04:50 +0000 Date: Fri, 9 Sep 2022 11:04:37 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1662717884; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=xAYIHP+5okh1OBy0npVyjWSJCHPvarSH75P9UOmP2gY=; b=Xc4YtLmnMk9UMIltU2T6jAMcxCVLjBTM6REusu7WFdxNshnChTBrhcb7ICp6jdLMTCmKwm 9w0kU7AqzOeD5t2eWDxeP3ew40EYNzn/C7oDpICH04pNMes3iaQJBedEW7zAv+E5be5Ndc cuJg4M4g8qPjMkt3n4MrAXyJ734Mbj4= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Oliver Upton To: Quentin Perret Cc: Marc Zyngier , James Morse , Alexandru Elisei , Suzuki K Poulose , Catalin Marinas , Will Deacon , Ricardo Koller , Reiji Watanabe , David Matlack , Ben Gardon , Paolo Bonzini , Gavin Shan , Peter Xu , Sean Christopherson , linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 02/14] KVM: arm64: Tear down unlinked stage-2 subtree after break-before-make Message-ID: References: <20220830194132.962932-1-oliver.upton@linux.dev> <20220830194132.962932-3-oliver.upton@linux.dev> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Migadu-Flow: FLOW_OUT X-Migadu-Auth-User: linux.dev X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220909_030449_283290_47F4B44C X-CRM114-Status: GOOD ( 15.84 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Tue, Sep 06, 2022 at 02:35:47PM +0000, Quentin Perret wrote: > Hi Oliver, > > On Tuesday 30 Aug 2022 at 19:41:20 (+0000), Oliver Upton wrote: > > static int stage2_map_walk_table_pre(u64 addr, u64 end, u32 level, > > kvm_pte_t *ptep, > > struct stage2_map_data *data) > > { > > - if (data->anchor) > > - return 0; > > + struct kvm_pgtable_mm_ops *mm_ops = data->mm_ops; > > + kvm_pte_t *childp = kvm_pte_follow(*ptep, mm_ops); > > + struct kvm_pgtable *pgt = data->mmu->pgt; > > + int ret; > > > > if (!stage2_leaf_mapping_allowed(addr, end, level, data)) > > return 0; > > > > - data->childp = kvm_pte_follow(*ptep, data->mm_ops); > > kvm_clear_pte(ptep); > > > > /* > > @@ -782,8 +786,13 @@ static int stage2_map_walk_table_pre(u64 addr, u64 end, u32 level, > > * individually. > > */ > > kvm_call_hyp(__kvm_tlb_flush_vmid, data->mmu); > > - data->anchor = ptep; > > - return 0; > > + > > + ret = stage2_map_walk_leaf(addr, end, level, ptep, data); > > + > > + mm_ops->put_page(ptep); > > + mm_ops->free_removed_table(childp, level + 1, pgt); > > By the look of it, __kvm_pgtable_visit() has saved the table PTE on the > stack prior to calling the TABLE_PRE callback, and it then uses the PTE > from its stack and does kvm_pte_follow() to find the childp, and walks > from there. Would that be a UAF now? Sure would, I suppose the actual UAF is hidden by the use of RCU later in the series. Nonetheless, I'm going to adopt David's suggestion of just rereading the PTE which should tidy this up. Thanks for catching this. -- Best, Oliver _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EBD05ECAAA1 for ; Fri, 9 Sep 2022 10:05:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229873AbiIIKFH (ORCPT ); Fri, 9 Sep 2022 06:05:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45276 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229959AbiIIKEt (ORCPT ); Fri, 9 Sep 2022 06:04:49 -0400 Received: from out1.migadu.com (out1.migadu.com [91.121.223.63]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0BABE266E; Fri, 9 Sep 2022 03:04:46 -0700 (PDT) Date: Fri, 9 Sep 2022 11:04:37 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1662717884; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=xAYIHP+5okh1OBy0npVyjWSJCHPvarSH75P9UOmP2gY=; b=Xc4YtLmnMk9UMIltU2T6jAMcxCVLjBTM6REusu7WFdxNshnChTBrhcb7ICp6jdLMTCmKwm 9w0kU7AqzOeD5t2eWDxeP3ew40EYNzn/C7oDpICH04pNMes3iaQJBedEW7zAv+E5be5Ndc cuJg4M4g8qPjMkt3n4MrAXyJ734Mbj4= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Oliver Upton To: Quentin Perret Cc: Marc Zyngier , James Morse , Alexandru Elisei , Suzuki K Poulose , Catalin Marinas , Will Deacon , Ricardo Koller , Reiji Watanabe , David Matlack , Ben Gardon , Paolo Bonzini , Gavin Shan , Peter Xu , Sean Christopherson , linux-arm-kernel@lists.infradead.org, kvmarm@lists.cs.columbia.edu, kvm@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 02/14] KVM: arm64: Tear down unlinked stage-2 subtree after break-before-make Message-ID: References: <20220830194132.962932-1-oliver.upton@linux.dev> <20220830194132.962932-3-oliver.upton@linux.dev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Migadu-Flow: FLOW_OUT X-Migadu-Auth-User: linux.dev Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org On Tue, Sep 06, 2022 at 02:35:47PM +0000, Quentin Perret wrote: > Hi Oliver, > > On Tuesday 30 Aug 2022 at 19:41:20 (+0000), Oliver Upton wrote: > > static int stage2_map_walk_table_pre(u64 addr, u64 end, u32 level, > > kvm_pte_t *ptep, > > struct stage2_map_data *data) > > { > > - if (data->anchor) > > - return 0; > > + struct kvm_pgtable_mm_ops *mm_ops = data->mm_ops; > > + kvm_pte_t *childp = kvm_pte_follow(*ptep, mm_ops); > > + struct kvm_pgtable *pgt = data->mmu->pgt; > > + int ret; > > > > if (!stage2_leaf_mapping_allowed(addr, end, level, data)) > > return 0; > > > > - data->childp = kvm_pte_follow(*ptep, data->mm_ops); > > kvm_clear_pte(ptep); > > > > /* > > @@ -782,8 +786,13 @@ static int stage2_map_walk_table_pre(u64 addr, u64 end, u32 level, > > * individually. > > */ > > kvm_call_hyp(__kvm_tlb_flush_vmid, data->mmu); > > - data->anchor = ptep; > > - return 0; > > + > > + ret = stage2_map_walk_leaf(addr, end, level, ptep, data); > > + > > + mm_ops->put_page(ptep); > > + mm_ops->free_removed_table(childp, level + 1, pgt); > > By the look of it, __kvm_pgtable_visit() has saved the table PTE on the > stack prior to calling the TABLE_PRE callback, and it then uses the PTE > from its stack and does kvm_pte_follow() to find the childp, and walks > from there. Would that be a UAF now? Sure would, I suppose the actual UAF is hidden by the use of RCU later in the series. Nonetheless, I'm going to adopt David's suggestion of just rereading the PTE which should tidy this up. Thanks for catching this. -- Best, Oliver