From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <kvm-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1146AC04A6A
	for <kvm@archiver.kernel.org>; Tue, 11 Jul 2023 16:26:45 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230398AbjGKQ0n (ORCPT <rfc822;kvm@archiver.kernel.org>);
        Tue, 11 Jul 2023 12:26:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57674 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230072AbjGKQ0l (ORCPT <rfc822;kvm@vger.kernel.org>);
        Tue, 11 Jul 2023 12:26:41 -0400
Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3987A99
        for <kvm@vger.kernel.org>; Tue, 11 Jul 2023 09:26:40 -0700 (PDT)
Received: by mail-pf1-x430.google.com with SMTP id d2e1a72fcca58-666fb8b1bc8so5311205b3a.1
        for <kvm@vger.kernel.org>; Tue, 11 Jul 2023 09:26:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1689092800; x=1691684800;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=FnogQ7HLpRF5+op/EYR0WRYtuefnaYhu4nhQsCtg9DI=;
        b=nYXGo198BbM03RIP7UU0985bq/mKFrMAZ8QCvoEU4vxnvQjVmDh6w8bxrebH1kiVMq
         PQcNyVMFfAV1nbaAlu8bOMRieTT7CGsuiLLQeHGEWH64OnH1dNkXSKZy2yAPeY5wfUYx
         lhkX6B3dh8M7Ad8XpfWKjutJ7uQK7QnTyvDzA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1689092800; x=1691684800;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=FnogQ7HLpRF5+op/EYR0WRYtuefnaYhu4nhQsCtg9DI=;
        b=DXB7uZiPYwAstwma/ntIg4wdo4zD9XLrwcNwxwOfNdHC90A0SQk3VbKbjz9SQORU7L
         NuB0Z81eCKrqsTr+i9QiZVAj3ccTJdfAJRIwIlZkSWO0jaz2Dl92NiMnrioKdEoCkXvT
         +4EewIgOoaHu++dfh4pNMgBPzqcupUsu6eP9LlEm+TuJANxcbM+HBhRku6Cu+8O527um
         ltcrikr7DrxQS7aNNCB8ozKz6ea0UejLhTXqts4A7JgClEB7W9/IsB2uBCghnF0TE05Y
         77gHEp6Os6oDkTAeRlUqA99oyJN6ykRnrH2MjDx9PfD7eVeKM1xKsLigYGvLRTOuG1Zz
         wPXg==
X-Gm-Message-State: ABy/qLYP8H1kfQuDb3wxDhpcYHj6PLNZ00u7/028h5kKObhqUs6CzAhj
        /CKx0S5zfYDRnosyamtekAnrdw==
X-Google-Smtp-Source: APBJJlHPT8zxb8dffvFxjIXVZsxroWt6k1sP9UuWClw8e3VLZG1MIqrloCoxrh09rhTflME/mNoIww==
X-Received: by 2002:a05:6a20:60b:b0:122:92d0:452a with SMTP id 11-20020a056a20060b00b0012292d0452amr16544394pzl.37.1689092799583;
        Tue, 11 Jul 2023 09:26:39 -0700 (PDT)
Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241])
        by smtp.gmail.com with ESMTPSA id d20-20020aa78154000000b0066f37665a6asm1916962pfn.117.2023.07.11.09.26.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 11 Jul 2023 09:26:39 -0700 (PDT)
Date:   Tue, 11 Jul 2023 09:26:38 -0700
From:   Kees Cook <keescook@chromium.org>
To:     Sean Christopherson <seanjc@google.com>
Cc:     Andrew Morton <akpm@linux-foundation.org>,
        Zheng Zhang <zheng.zhang@email.ucr.edu>,
        linux-hardening@vger.kernel.org, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
        Matthew Wilcox <willy@infradead.org>
Subject: Re: [BUG]: bad usercopy in kvm_stats_read in mm/usercopy.c
Message-ID: <202307110925.CBAF286C0A@keescook>
References: <CAC_GQSr3xzZaeZt85k_RCBd5kfiOve8qXo7a81Cq53LuVQ5r=Q@mail.gmail.com>
 <20230710133427.fb599ef486c7b764d9ca2cc3@linux-foundation.org>
 <ZK2ABPwCke32Kh0q@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZK2ABPwCke32Kh0q@google.com>
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org

On Tue, Jul 11, 2023 at 09:15:00AM -0700, Sean Christopherson wrote:
> On Mon, Jul 10, 2023, Andrew Morton wrote:
> > On Sun, 9 Jul 2023 14:32:09 -0700 Zheng Zhang <zheng.zhang@email.ucr.edu> wrote:
> > 
> > > Kees, Andrew, and  to whom it may concern:
> > > 
> > > Hello! We have found a bug in the Linux kernel version 6.2.0 by syzkaller
> > > with our own templates. It also produces a POC.
> > > Attached is the report, log, and reproducers generated by syzkaller
> > > Please let me know if there is any additional information that I can
> > > provide to help debug this issue.
> > > Thanks!
> > 
> > Let's cc the kvm mailing list.
> > 
> > Original email is at
> > https://lkml.kernel.org/r/CAC_GQSr3xzZaeZt85k_RCBd5kfiOve8qXo7a81Cq53LuVQ5r=Q@mail.gmail.com
> 
> Yeaaaah.  We failed kernel programming 101.  KVM installs file descriptors to
> let userspace read VM and vCPU stats, but doesn't grab a reference to the VM to
> ensure the VM and its vCPUs are kept alive until the stats fds are closed.  I'll
> send a patch.

Thanks! Another victory for hardened usercopy. :)

-- 
Kees Cook