[PATCH v2] kvm: Fix warning in__kvm_gpc_refresh

[PATCH v2] kvm: Fix warning in__kvm_gpc_refresh

[Pei Li]

Check for invalid hva address stored in data and return -EINVAL before
calling into __kvm_gpc_activate().

Reported-by: syzbot+fd555292a1da3180fc82@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=fd555292a1da3180fc82
Tested-by: syzbot+fd555292a1da3180fc82@syzkaller.appspotmail.com
Signed-off-by: Pei Li <peili.dev@gmail.com>
---
Syzbot reports a warning message in __kvm_gpc_refresh(). This warning
requires at least one of gpa and uhva to be valid.
WARNING: CPU: 0 PID: 5090 at arch/x86/kvm/../../../virt/kvm/pfncache.c:259 __kvm_gpc_refresh+0xf17/0x1090 arch/x86/kvm/../../../virt/kvm/pfncache.c:259

We are calling it from kvm_gpc_activate_hva(). This function always calls
__kvm_gpc_activate() with INVALID_GPA. Thus, uhva must be valid to
disable this warning.

This patch checks for invalid hva address and return -EINVAL before
calling __kvm_gpc_activate().

syzbot has tested the proposed patch and the reproducer did not trigger
any issue.

Tested on:

commit:         afcd4813 Merge tag 'mm-hotfixes-stable-2024-06-26-17-2..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1427e301980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e40800950091403a
dashboard link: https://syzkaller.appspot.com/bug?extid=fd555292a1da3180fc82
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13838f3e980000

Note: testing is done by a robot and is best-effort only.
---
Changes in v2:
- Adapted Sean's suggestion to check for valid address before calling
  into __kvm_gpc_activate().
- Link to v1: https://lore.kernel.org/r/20240625-bug5-v1-1-e072ed5fce85@gmail.com
---
 arch/x86/kvm/xen.c  | 2 +-
 virt/kvm/pfncache.c | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
index f65b35a05d91..67bb4e89c399 100644
--- a/arch/x86/kvm/xen.c
+++ b/arch/x86/kvm/xen.c
@@ -741,7 +741,7 @@ int kvm_xen_hvm_set_attr(struct kvm *kvm, struct kvm_xen_hvm_attr *data)
 		} else {
 			void __user * hva = u64_to_user_ptr(data->u.shared_info.hva);
 
-			if (!PAGE_ALIGNED(hva) || !access_ok(hva, PAGE_SIZE)) {
+			if (!PAGE_ALIGNED(hva)) {
 				r = -EINVAL;
 			} else if (!hva) {
 				kvm_gpc_deactivate(&kvm->arch.xen.shinfo_cache);
diff --git a/virt/kvm/pfncache.c b/virt/kvm/pfncache.c
index e3453e869e92..f0039efb9e1e 100644
--- a/virt/kvm/pfncache.c
+++ b/virt/kvm/pfncache.c
@@ -430,6 +430,9 @@ int kvm_gpc_activate(struct gfn_to_pfn_cache *gpc, gpa_t gpa, unsigned long len)
 
 int kvm_gpc_activate_hva(struct gfn_to_pfn_cache *gpc, unsigned long uhva, unsigned long len)
 {
+	if (!access_ok((void __user *)uhva, len))
+		return -EINVAL;
+
 	return __kvm_gpc_activate(gpc, INVALID_GPA, uhva, len);
 }
 

---
base-commit: 2bfcfd584ff5ccc8bb7acde19b42570414bf880b
change-id: 20240625-bug5-5d332b5e5161

Best regards,
-- 
Pei Li <peili.dev@gmail.com>

Re: [PATCH v2] kvm: Fix warning in__kvm_gpc_refresh

[Paul Durrant]

On 27/06/2024 16:03, Pei Li wrote:
> Check for invalid hva address stored in data and return -EINVAL before
> calling into __kvm_gpc_activate().
> 
> Reported-by: syzbot+fd555292a1da3180fc82@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=fd555292a1da3180fc82
> Tested-by: syzbot+fd555292a1da3180fc82@syzkaller.appspotmail.com
> Signed-off-by: Pei Li <peili.dev@gmail.com>
> ---
> Syzbot reports a warning message in __kvm_gpc_refresh(). This warning
> requires at least one of gpa and uhva to be valid.
> WARNING: CPU: 0 PID: 5090 at arch/x86/kvm/../../../virt/kvm/pfncache.c:259 __kvm_gpc_refresh+0xf17/0x1090 arch/x86/kvm/../../../virt/kvm/pfncache.c:259
> 
> We are calling it from kvm_gpc_activate_hva(). This function always calls
> __kvm_gpc_activate() with INVALID_GPA. Thus, uhva must be valid to
> disable this warning.
> 
> This patch checks for invalid hva address and return -EINVAL before
> calling __kvm_gpc_activate().
> 
> syzbot has tested the proposed patch and the reproducer did not trigger
> any issue.
> 
> Tested on:
> 
> commit:         afcd4813 Merge tag 'mm-hotfixes-stable-2024-06-26-17-2..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1427e301980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=e40800950091403a
> dashboard link: https://syzkaller.appspot.com/bug?extid=fd555292a1da3180fc82
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=13838f3e980000
> 
> Note: testing is done by a robot and is best-effort only.
> ---
> Changes in v2:
> - Adapted Sean's suggestion to check for valid address before calling
>    into __kvm_gpc_activate().
> - Link to v1: https://lore.kernel.org/r/20240625-bug5-v1-1-e072ed5fce85@gmail.com
> ---
>   arch/x86/kvm/xen.c  | 2 +-
>   virt/kvm/pfncache.c | 3 +++
>   2 files changed, 4 insertions(+), 1 deletion(-)
> 

Reviewed-by: Paul Durrant <paul@xen.org>

Re: [PATCH v2] kvm: Fix warning in__kvm_gpc_refresh

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 2301 bytes --]

On Fri, 2024-06-28 at 15:25 +0100, Paul Durrant wrote:
> On 27/06/2024 16:03, Pei Li wrote:
> > Check for invalid hva address stored in data and return -EINVAL before
> > calling into __kvm_gpc_activate().
> > 
> > Reported-by: syzbot+fd555292a1da3180fc82@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=fd555292a1da3180fc82
> > Tested-by: syzbot+fd555292a1da3180fc82@syzkaller.appspotmail.com
> > Signed-off-by: Pei Li <peili.dev@gmail.com>
> > ---
> > Syzbot reports a warning message in __kvm_gpc_refresh(). This warning
> > requires at least one of gpa and uhva to be valid.
> > WARNING: CPU: 0 PID: 5090 at arch/x86/kvm/../../../virt/kvm/pfncache.c:259 __kvm_gpc_refresh+0xf17/0x1090 arch/x86/kvm/../../../virt/kvm/pfncache.c:259
> > 
> > We are calling it from kvm_gpc_activate_hva(). This function always calls
> > __kvm_gpc_activate() with INVALID_GPA. Thus, uhva must be valid to
> > disable this warning.
> > 
> > This patch checks for invalid hva address and return -EINVAL before
> > calling __kvm_gpc_activate().
> > 
> > syzbot has tested the proposed patch and the reproducer did not trigger
> > any issue.
> > 
> > Tested on:
> > 
> > commit:         afcd4813 Merge tag 'mm-hotfixes-stable-2024-06-26-17-2..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=1427e301980000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=e40800950091403a
> > dashboard link: https://syzkaller.appspot.com/bug?extid=fd555292a1da3180fc82
> > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> > patch:          https://syzkaller.appspot.com/x/patch.diff?x=13838f3e980000
> > 
> > Note: testing is done by a robot and is best-effort only.
> > ---
> > Changes in v2:
> > - Adapted Sean's suggestion to check for valid address before calling
> >    into __kvm_gpc_activate().
> > - Link to v1: https://lore.kernel.org/r/20240625-bug5-v1-1-e072ed5fce85@gmail.com
> > ---
> >   arch/x86/kvm/xen.c  | 2 +-
> >   virt/kvm/pfncache.c | 3 +++
> >   2 files changed, 4 insertions(+), 1 deletion(-)
> > 
> 
> Reviewed-by: Paul Durrant <paul@xen.org>

Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>

Thanks.

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5965 bytes --]

Re: [PATCH v2] kvm: Fix warning in__kvm_gpc_refresh

[Sean Christopherson]

On Thu, 27 Jun 2024 08:03:56 -0700, Pei Li wrote:
> Check for invalid hva address stored in data and return -EINVAL before
> calling into __kvm_gpc_activate().

Applied to kvm-x86 fixes, thanks!

[1/1] kvm: Fix warning in__kvm_gpc_refresh
      https://github.com/kvm-x86/linux/commit/ebbdf37ce9ab

--
https://github.com/kvm-x86/linux/tree/next