From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jan Kiszka <jan.kiszka@web.de>
Subject: Re: KVM: VMX: fix use after free of vmx->loaded_vmcs
Date: Fri, 03 Jan 2014 20:27:07 +0100
Message-ID: <52C70F0B.7020406@web.de>
References: <20140103190051.GA16151@amt.cnet>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="juCsABuQ356qX4q85NtwW0XIHcrdvlIHD"
Cc: Paolo Bonzini <pbonzini@redhat.com>
To: Marcelo Tosatti <mtosatti@redhat.com>,
	kvm-devel <kvm@vger.kernel.org>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mout.web.de ([212.227.15.4]:61698 "EHLO mout.web.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752855AbaACT1N (ORCPT <rfc822;kvm@vger.kernel.org>);
	Fri, 3 Jan 2014 14:27:13 -0500
Received: from mchn199C.mchp.siemens.de ([95.157.58.223]) by smtp.web.de
 (mrweb102) with ESMTPSA (Nemesis) id 0Lr2Zb-1VThCW1CIF-00ed9R for
 <kvm@vger.kernel.org>; Fri, 03 Jan 2014 20:27:11 +0100
In-Reply-To: <20140103190051.GA16151@amt.cnet>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--juCsABuQ356qX4q85NtwW0XIHcrdvlIHD
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 2014-01-03 20:00, Marcelo Tosatti wrote:
>=20
> After free_loaded_vmcs executes, the "loaded_vmcs" structure=20
> is kfreed, and now vmx->loaded_vmcs points to a kfreed area.=20
> Subsequent free_loaded_vmcs then attempts to manipulate=20
> vmx->loaded_vmcs.

Cannot follow yet. How precisely do we call free_loaded_vmcs twice on
the same loaded_vmcs? I thought the frees triggered by free_nested ->
nested_free_all_saved_vmcss stay away from vmx->loaded_vmcs, no?

Jan

>=20
> Switch the order to avoid the problem.
>=20
> https://bugzilla.redhat.com/show_bug.cgi?id=3D1047892
>=20
> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
>=20
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index da7837e..2efa33f0 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -7332,8 +7332,8 @@ static void vmx_free_vcpu(struct kvm_vcpu *vcpu)
>  	struct vcpu_vmx *vmx =3D to_vmx(vcpu);
> =20
>  	free_vpid(vmx);
> -	free_nested(vmx);
>  	free_loaded_vmcs(vmx->loaded_vmcs);
> +	free_nested(vmx);
>  	kfree(vmx->guest_msrs);
>  	kvm_vcpu_uninit(vcpu);
>  	kmem_cache_free(kvm_vcpu_cache, vmx);
>=20



--juCsABuQ356qX4q85NtwW0XIHcrdvlIHD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLHDw4ACgkQitSsb3rl5xQ3awCg0gn5Ax2l9m7kOfCChTsFaPsO
WZQAn0Kzi9RFksn5gueKUBThkInv1D/j
=EBZE
-----END PGP SIGNATURE-----

--juCsABuQ356qX4q85NtwW0XIHcrdvlIHD--