From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jan Kiszka Subject: Re: KVM: VMX: fix use after free of vmx->loaded_vmcs Date: Fri, 03 Jan 2014 20:54:33 +0100 Message-ID: <52C71579.6040502@web.de> References: <20140103190051.GA16151@amt.cnet> <52C70F0B.7020406@web.de> <20140103193628.GA17605@amt.cnet> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6SqP0PjFqP2pPLL0Lh6ltXau955Bkdf2i" Cc: kvm-devel , Paolo Bonzini To: Marcelo Tosatti Return-path: Received: from mout.web.de ([212.227.15.3]:50154 "EHLO mout.web.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753187AbaACTyf (ORCPT ); Fri, 3 Jan 2014 14:54:35 -0500 Received: from mchn199C.mchp.siemens.de ([95.157.58.223]) by smtp.web.de (mrweb101) with ESMTPSA (Nemesis) id 0MeSOZ-1VmJ2D02UJ-00QA5D for ; Fri, 03 Jan 2014 20:54:34 +0100 In-Reply-To: <20140103193628.GA17605@amt.cnet> Sender: kvm-owner@vger.kernel.org List-ID: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --6SqP0PjFqP2pPLL0Lh6ltXau955Bkdf2i Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 2014-01-03 20:36, Marcelo Tosatti wrote: > On Fri, Jan 03, 2014 at 08:27:07PM +0100, Jan Kiszka wrote: >> On 2014-01-03 20:00, Marcelo Tosatti wrote: >>> >>> After free_loaded_vmcs executes, the "loaded_vmcs" structure=20 >>> is kfreed, and now vmx->loaded_vmcs points to a kfreed area.=20 >>> Subsequent free_loaded_vmcs then attempts to manipulate=20 >>> vmx->loaded_vmcs. >> >> Cannot follow yet. How precisely do we call free_loaded_vmcs twice on >> the same loaded_vmcs?=20 >=20 > You don't:=20 >=20 > nested_free_all_saved_vmcss calls kfree(item). item is struct > vmcs02_list *, which is: >=20 > /* Used to remember the last vmcs02 used for some recently used vmcs12s= > * */ > struct vmcs02_list { > struct list_head list; > gpa_t vmptr; > struct loaded_vmcs vmcs02; > }; >=20 > And vmx->loaded_vmcs =3D &item->vmcs02. Yeah, now I see. You may add my Reviewed-by: Jan Kiszka >=20 >> I thought the frees triggered by free_nested -> >> nested_free_all_saved_vmcss stay away from vmx->loaded_vmcs, no? >=20 > Stays away as far as free_loaded_vmcs, yes.=20 > Except it frees the structure pointed to by vmx->loaded_vmcs. >=20 >=20 >=20 > The separate question is about when is vmcs01 ever allocated again=20 > if freed by nested_free_all_saved_vmcss (the other email). >=20 >> Jan >> >>> >>> Switch the order to avoid the problem. >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=3D1047892 >>> >>> Signed-off-by: Marcelo Tosatti >>> >>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c >>> index da7837e..2efa33f0 100644 >>> --- a/arch/x86/kvm/vmx.c >>> +++ b/arch/x86/kvm/vmx.c >>> @@ -7332,8 +7332,8 @@ static void vmx_free_vcpu(struct kvm_vcpu *vcpu= ) >>> struct vcpu_vmx *vmx =3D to_vmx(vcpu); >>> =20 >>> free_vpid(vmx); >>> - free_nested(vmx); >>> free_loaded_vmcs(vmx->loaded_vmcs); >>> + free_nested(vmx); >>> kfree(vmx->guest_msrs); >>> kvm_vcpu_uninit(vcpu); >>> kmem_cache_free(kvm_vcpu_cache, vmx); >>> >> >> >=20 >=20 --6SqP0PjFqP2pPLL0Lh6ltXau955Bkdf2i Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLHFXkACgkQitSsb3rl5xS6EACgomn4EqLCuSl7DxgGHTf2jgEN N9QAoMlq6s3ZLKG0t3Z9VPIl+01rHTuB =T540 -----END PGP SIGNATURE----- --6SqP0PjFqP2pPLL0Lh6ltXau955Bkdf2i--