From: "Radim Krčmář" <rkrcmar@redhat.com>
To: Greg Kurz <gkurz@linux.vnet.ibm.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
james.hogan@imgtec.com, mingo@redhat.com,
linux-mips@linux-mips.org, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, qemu-ppc@nongnu.org,
Cornelia Huck <cornelia.huck@de.ibm.com>,
Paul Mackerras <paulus@samba.org>,
David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [PATCH v3] KVM: remove buggy vcpu id check on vcpu creation
Date: Wed, 20 Apr 2016 20:29:09 +0200 [thread overview]
Message-ID: <20160420182909.GB4044@potion> (raw)
In-Reply-To: <146116689259.20666.15860134511726195550.stgit@bahia.huguette.org>
2016-04-20 17:44+0200, Greg Kurz:
> Commit 338c7dbadd26 ("KVM: Improve create VCPU parameter (CVE-2013-4587)")
> introduced a check to prevent potential kernel memory corruption in case
> the vcpu id is too great.
>
> Unfortunately this check assumes vcpu ids grow in sequence with a common
> difference of 1, which is wrong: archs are free to use vcpu id as they fit.
> For example, QEMU originated vcpu ids for PowerPC cpus running in boot3s_hv
> mode, can grow with a common difference of 2, 4 or 8: if KVM_MAX_VCPUS is
> 1024, guests may be limited down to 128 vcpus on POWER8.
>
> This means the check does not belong here and should be moved to some arch
> specific function: kvm_arch_vcpu_create() looks like a good candidate.
>
> ARM and s390 already have such a check.
>
> I could not spot any path in the PowerPC or common KVM code where a vcpu
> id is used as described in the above commit: I believe PowerPC can live
> without this check.
The only problematic path I see is kvm_get_vcpu_by_id(), which returns
NULL for any id above KVM_MAX_VCPUS.
kvm_vm_ioctl_create_vcpu() uses kvm_get_vcpu_by_id() to check for
duplicate ids, so PowerPC could end up with many VCPUs of the same id.
I'm not sure what could fail, but code doesn't expect this situation.
Patching kvm_get_vcpu_by_id() is easy, though.
Second issue is that Documentation/virtual/kvm/api.txt says
4.7 KVM_CREATE_VCPU
[...]
This API adds a vcpu to a virtual machine. The vcpu id is a small
integer in the range [0, max_vcpus).
so we'd remove those two lines and change the API too. The change would
be somewhat backward compatible, but doesn't PowerPC use high vcpu_id
just because KVM is lacking an API to set DT ID?
x86 (APIC ID) is affected by this and ARM (MP ID) probably too.
(Maybe it is time to decouple VCPU ID used in KVM interfaces from
architecture dependent CPU ID that the guest uses ...
Mostly for future architectures that won't fit into 32 bits, but
clarity of the code could go up as well.)
next prev parent reply other threads:[~2016-04-20 18:29 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-04-20 15:44 [PATCH v3] KVM: remove buggy vcpu id check on vcpu creation Greg Kurz
2016-04-20 16:10 ` James Hogan
2016-04-20 16:48 ` Cornelia Huck
2016-04-21 13:24 ` David Hildenbrand
2016-04-20 17:02 ` Radim Krčmář
2016-04-20 17:09 ` James Hogan
2016-04-20 17:27 ` Radim Krčmář
2016-04-20 17:53 ` Greg Kurz
2016-04-20 18:31 ` Radim Krčmář
2016-04-20 18:29 ` Radim Krčmář [this message]
2016-04-21 11:29 ` Greg Kurz
2016-04-21 12:26 ` Cornelia Huck
2016-04-21 13:05 ` Greg Kurz
2016-04-21 13:22 ` David Hildenbrand
2016-04-21 15:29 ` Radim Krčmář
2016-04-21 15:49 ` Greg Kurz
2016-04-21 16:08 ` Radim Krčmář
2016-04-21 17:18 ` Greg Kurz
2016-04-21 17:39 ` Radim Krčmář
2016-04-21 18:08 ` Greg Kurz
2016-04-22 1:40 ` Wanpeng Li
2016-04-22 13:07 ` Radim Krčmář
2016-04-23 22:54 ` Wanpeng Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160420182909.GB4044@potion \
--to=rkrcmar@redhat.com \
--cc=cornelia.huck@de.ibm.com \
--cc=david@gibson.dropbear.id.au \
--cc=gkurz@linux.vnet.ibm.com \
--cc=james.hogan@imgtec.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mips@linux-mips.org \
--cc=mingo@redhat.com \
--cc=paulus@samba.org \
--cc=pbonzini@redhat.com \
--cc=qemu-ppc@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox