From: Paolo Bonzini <pbonzini@redhat.com>
To: Steve Rutherford <srutherford@google.com>
Cc: "KVM list" <kvm@vger.kernel.org>, "Radim Krčmář" <rkrcmar@redhat.com>
Subject: Re: [PATCH 4/7] KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi
Date: Tue, 10 Jan 2017 04:32:48 -0500 (EST) [thread overview]
Message-ID: <1011080647.6505181.1484040768030.JavaMail.zimbra@redhat.com> (raw)
In-Reply-To: <CABayD+fOYYYt48cm_fiNG_JCEAh9=iuBQc=j9EwsyutkKSvRzQ@mail.gmail.com>
> Doesn't this same bug also affect kvm_irq_map_chip_pin?
>
> (Note: I haven't chased down whether anything can even reach here if
> irq_rt is NULL.)
No, it is safe because kvm_irq_map_chip_pin requires having created an
irqchip, and:
- host code (kvm_set_irq) in virt/kvm/irqchip.c goes through kvm_irq_map_gsi,
and until you have a successful kvm_irq_map_gsi you cannot get to
kvm_notify_acked_irq
- guest code (such as ioapic_write_indirect) can call kvm_irq_map_chip_pin,
but it cannot run until KVM_CREATE_IRQCHIP returns. KVM_CREATE_IRQCHIP
requires that there are no VCPUs, and kvm->lock protects both KVM_CREATE_IRQCHIP
and (the first part of) KVM_CREATE_VCPU.
Maybe it was possible, but very unlikely, before commit 557abc40d121
("KVM: remove kvm_vcpu_compatible", 2016-06-16).
Paolo
> int kvm_irq_map_chip_pin(struct kvm *kvm, unsigned irqchip, unsigned pin)
> {
> struct kvm_irq_routing_table *irq_rt;
>
> irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
> +
> + if (!irq_rt)
> + return -1;
> +
> return irq_rt->chip[irqchip][pin];
> }
>
> Steve
>
> On Wed, Jun 1, 2016 at 5:09 AM, Paolo Bonzini <pbonzini@redhat.com> wrote:
> > Found by syzkaller:
> >
> > BUG: unable to handle kernel NULL pointer dereference at
> > 0000000000000120
> > IP: [<ffffffffa0797202>] kvm_irq_map_gsi+0x12/0x90 [kvm]
> > PGD 6f80b067 PUD b6535067 PMD 0
> > Oops: 0000 [#1] SMP
> > CPU: 3 PID: 4988 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1
> > [...]
> > Call Trace:
> > [<ffffffffa0795f62>] irqfd_update+0x32/0xc0 [kvm]
> > [<ffffffffa0796c7c>] kvm_irqfd+0x3dc/0x5b0 [kvm]
> > [<ffffffffa07943f4>] kvm_vm_ioctl+0x164/0x6f0 [kvm]
> > [<ffffffff81241648>] do_vfs_ioctl+0x298/0x480
> > [<ffffffff812418a9>] SyS_ioctl+0x79/0x90
> > [<ffffffff817a1062>] tracesys_phase2+0x84/0x89
> > Code: b5 71 a7 e0 5b 41 5c 41 5d 5d f3 c3 66 66 66 66 2e 0f 1f 84 00 00
> > 00 00 00 0f 1f 44 00 00 55 48 8b 8f 10 2e 00 00 31 c0 48 89 e5 <39> 91
> > 20 01 00 00 76 6a 48 63 d2 48 8b 94 d1 28 01 00 00 48 85
> > RIP [<ffffffffa0797202>] kvm_irq_map_gsi+0x12/0x90 [kvm]
> > RSP <ffff8800926cbca8>
> > CR2: 0000000000000120
> >
> > Testcase:
> >
> > #include <unistd.h>
> > #include <sys/syscall.h>
> > #include <string.h>
> > #include <stdint.h>
> > #include <linux/kvm.h>
> > #include <fcntl.h>
> > #include <sys/ioctl.h>
> >
> > long r[26];
> >
> > int main()
> > {
> > memset(r, -1, sizeof(r));
> > r[2] = open("/dev/kvm", 0);
> > r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
> >
> > struct kvm_irqfd ifd;
> > ifd.fd = syscall(SYS_eventfd2, 5, 0);
> > ifd.gsi = 3;
> > ifd.flags = 2;
> > ifd.resamplefd = ifd.fd;
> > r[25] = ioctl(r[3], KVM_IRQFD, &ifd);
> > return 0;
> > }
> >
> > Reported-by: Dmitry Vyukov <dvyukov@google.com>
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> > ---
> > virt/kvm/irqchip.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/virt/kvm/irqchip.c b/virt/kvm/irqchip.c
> > index fe84e1a95dd5..8db197bb6c7a 100644
> > --- a/virt/kvm/irqchip.c
> > +++ b/virt/kvm/irqchip.c
> > @@ -40,7 +40,7 @@ int kvm_irq_map_gsi(struct kvm *kvm,
> >
> > irq_rt = srcu_dereference_check(kvm->irq_routing, &kvm->irq_srcu,
> > lockdep_is_held(&kvm->irq_lock));
> > - if (gsi < irq_rt->nr_rt_entries) {
> > + if (irq_rt && gsi < irq_rt->nr_rt_entries) {
> > hlist_for_each_entry(e, &irq_rt->map[gsi], link) {
> > entries[n] = *e;
> > ++n;
> > --
> > 1.8.3.1
> >
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe kvm" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2017-01-10 9:32 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-01 12:09 [PATCH 0/7] KVM: syzkaller fixes Paolo Bonzini
2016-06-01 12:09 ` [PATCH 1/7] kvm: x86: avoid warning on repeated KVM_SET_TSS_ADDR Paolo Bonzini
2016-06-01 12:09 ` [PATCH 2/7] KVM: x86: avoid vmalloc(0) in the KVM_SET_CPUID Paolo Bonzini
2016-06-01 12:09 ` [PATCH 3/7] KVM: fail KVM_SET_VCPU_EVENTS with invalid exception number Paolo Bonzini
2016-06-01 12:09 ` [PATCH 4/7] KVM: irqfd: fix NULL pointer dereference in kvm_irq_map_gsi Paolo Bonzini
2017-01-09 22:39 ` Steve Rutherford
2017-01-10 9:32 ` Paolo Bonzini [this message]
2016-06-01 12:09 ` [PATCH 5/7] KVM: x86: avoid vmalloc(0) in the KVM_SET_CPUID Paolo Bonzini
2016-06-04 23:55 ` Wanpeng Li
2016-06-01 12:09 ` [PATCH 6/7] KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS Paolo Bonzini
2016-06-01 12:09 ` [PATCH 7/7] KVM: x86: protect KVM_CREATE_PIT/KVM_CREATE_PIT2 with kvm->lock Paolo Bonzini
2016-06-01 16:07 ` [PATCH 0/7] KVM: syzkaller fixes Radim Krčmář
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1011080647.6505181.1484040768030.JavaMail.zimbra@redhat.com \
--to=pbonzini@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=rkrcmar@redhat.com \
--cc=srutherford@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox