Re: KASAN: use-after-free Read in kvm_put_kvm (caused by: "kvm/x86: add coalesced pio support")

public inbox for kvm@vger.kernel.org
 help / color / mirror / Atom feed

From: Paolo Bonzini <pbonzini@redhat.com>
To: Eric Biggers <ebiggers@kernel.org>, Peng Hao <peng.hao2@zte.com.cn>
Cc: syzbot <syzbot+f87f60bb6f13f39b54e3@syzkaller.appspotmail.com>,
	kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
	rkrcmar@redhat.com, syzkaller-bugs@googlegroups.com
Subject: Re: KASAN: use-after-free Read in kvm_put_kvm (caused by: "kvm/x86: add coalesced pio support")
Date: Mon, 17 Dec 2018 16:58:29 +0100	[thread overview]
Message-ID: <5b22a63b-e4c2-58af-8070-5aec20302dfc@redhat.com> (raw)
In-Reply-To: <20181216185513.GA691@sol.localdomain>

On 16/12/18 19:55, Eric Biggers wrote:
> Hi Peng and Paolo,
> 
> On Sun, Oct 21, 2018 at 12:01:55PM +0200, Paolo Bonzini wrote:
>> On 20/10/2018 18:57, syzbot wrote:
>>> Hello,
>>>
>>> syzbot found the following crash on:
>>>
>>> HEAD commit:    8c60c36d0b8c Add linux-next specific files for 20181019
>>> git tree:       linux-next
>>> console output: https://syzkaller.appspot.com/x/log.txt?x=12d808b5400000
>>> kernel config:  https://syzkaller.appspot.com/x/.config?x=8b6d7c4c81535e89
>>> dashboard link:
>>> https://syzkaller.appspot.com/bug?extid=f87f60bb6f13f39b54e3
>>> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
>>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17cf2f5e400000
>>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1036dcce400000
>>>
>>> IMPORTANT: if you fix the bug, please add the following tag to the commit:
>>> Reported-by: syzbot+f87f60bb6f13f39b54e3@syzkaller.appspotmail.com
>>
>> Tentative (untested) patch:
>>
>> diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c
>> index 3710342cf6ad..dc76cc8d24fd 100644
>> --- a/virt/kvm/coalesced_mmio.c
>> +++ b/virt/kvm/coalesced_mmio.c
>> @@ -90,6 +90,7 @@ static int coalesced_mmio_write(struct kvm_vcpu *vcpu,
>>  	return 0;
>>  }
>>
>> +/* called with kvm->slots_lock held */
>>  static void coalesced_mmio_destructor(struct kvm_io_device *this)
>>  {
>>  	struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
>> diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
>> index b20b751286fc..001e1ef18c8c 100644
>> --- a/virt/kvm/eventfd.c
>> +++ b/virt/kvm/eventfd.c
>> @@ -741,8 +741,8 @@ ioeventfd_write(struct kvm_vcpu *vcpu, struct
>> kvm_io_device *this, gpa_t addr,
>>  }
>>
>>  /*
>> - * This function is called as KVM is completely shutting down.  We do not
>> - * need to worry about locking just nuke anything we have as quickly as
>> possible
>> + * This function is called as KVM is completely shutting down, so there
>> + * are no RCU readers anymore. Called with kvm->slots_lock held.
>>   */
>>  static void
>>  ioeventfd_destructor(struct kvm_io_device *this)
>> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
>> index aff1242b7af7..e6f2ae6fedcd 100644
>> --- a/virt/kvm/kvm_main.c
>> +++ b/virt/kvm/kvm_main.c
>> @@ -783,6 +783,7 @@ static void kvm_destroy_vm(struct kvm *kvm)
>>  	list_del(&kvm->vm_list);
>>  	spin_unlock(&kvm_lock);
>>  	kvm_free_irq_routing(kvm);
>> +	mutex_lock(&kvm->slots_lock);
>>  	for (i = 0; i < KVM_NR_BUSES; i++) {
>>  		struct kvm_io_bus *bus = kvm_get_bus(kvm, i);
>>
>> @@ -790,6 +791,7 @@ static void kvm_destroy_vm(struct kvm *kvm)
>>  			kvm_io_bus_destroy(bus);
>>  		kvm->buses[i] = NULL;
>>  	}
>> +	mutex_unlock(&kvm->slots_lock);
>>  	kvm_coalesced_mmio_free(kvm);
>>  #ifdef KVM_DIRTY_LOG_PAGE_OFFSET
>>  	if (kvm->dirty_ring_size)
>>
> 
> This is still happening.  Paolo, I don't see how your patch matches this bug, as
> it has a single threaded reproducer.  I simplified it to:
> 
> 	#include <fcntl.h>
> 	#include <linux/kvm.h>
> 	#include <sys/ioctl.h>
> 
> 	int main(void)
> 	{
> 		int kvm, vm;
> 		struct kvm_coalesced_mmio_zone zone = { 0 };
> 
> 		kvm = open("/dev/kvm", O_RDWR);
> 
> 		vm = ioctl(kvm, KVM_CREATE_VM, 0);
> 
> 		ioctl(vm, KVM_REGISTER_COALESCED_MMIO, &zone);
> 
> 		zone.pio = 1;
> 		ioctl(vm, KVM_UNREGISTER_COALESCED_MMIO, &zone);
> 	}
> 
> The bug is in this commit:
> 
> 	commit 0804c849f1df0992d39a37c4fc259f7f8b16f385
> 	Author: Peng Hao <peng.hao2@zte.com.cn>
> 	Date:   Sun Oct 14 07:09:55 2018 +0800
> 
> 	    kvm/x86 : add coalesced pio support
> 
> The problem is that if you register a kvm_coalesced_mmio_zone with '.pio = 0'
> but then unregister it with '.pio = 1', KVM_UNREGISTER_COALESCED_MMIO will try
> to unregister it from KVM_PIO_BUS rather than KVM_MMIO_BUS, which is a no-op,
> but then it frees the kvm_coalesced_mmio_dev anyway.
> 
> Here's one possible fix but I don't know what was intended here.  Are you
> supposed to pass in the same value of '.pio' when unregistering or is it
> supposed to use the existing value?  Can one of you please point me to the
> documentation for these ioctls?
> 
> diff --git a/virt/kvm/coalesced_mmio.c b/virt/kvm/coalesced_mmio.c
> index 3710342cf6ad0..6855cce3e5287 100644
> --- a/virt/kvm/coalesced_mmio.c
> +++ b/virt/kvm/coalesced_mmio.c
> @@ -175,10 +175,14 @@ int kvm_vm_ioctl_unregister_coalesced_mmio(struct kvm *kvm,
>  {
>  	struct kvm_coalesced_mmio_dev *dev, *tmp;
>  
> +	if (zone->pio != 1 && zone->pio != 0)
> +		return -EINVAL;
> +
>  	mutex_lock(&kvm->slots_lock);
>  
>  	list_for_each_entry_safe(dev, tmp, &kvm->coalesced_zones, list)
> -		if (coalesced_mmio_in_range(dev, zone->addr, zone->size)) {
> +		if (zone->pio == dev->zone.pio &&
> +		    coalesced_mmio_in_range(dev, zone->addr, zone->size)) {
>  			kvm_io_bus_unregister_dev(kvm,
>  				zone->pio ? KVM_PIO_BUS : KVM_MMIO_BUS, &dev->dev);
>  			kvm_iodevice_destructor(&dev->dev);
> 

Yes, this is the fix.  The same range can be registered both with .pio =
0 and .pio = 1.

Paolo

next prev parent reply	other threads:[~2018-12-17 15:58 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-20 16:57 KASAN: use-after-free Read in kvm_put_kvm syzbot
2018-10-21 10:01 ` Paolo Bonzini
2018-12-16 18:55   ` KASAN: use-after-free Read in kvm_put_kvm (caused by: "kvm/x86: add coalesced pio support") Eric Biggers
2018-12-17 15:58     ` Paolo Bonzini [this message]
2018-12-17 17:36       ` [PATCH] KVM: fix unregistering coalesced mmio zone from wrong bus Eric Biggers
2018-12-18 21:03     ` KASAN: use-after-free Read in kvm_put_kvm (caused by: "kvm/x86: add coalesced pio support") Paolo Bonzini

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5b22a63b-e4c2-58af-8070-5aec20302dfc@redhat.com \
    --to=pbonzini@redhat.com \
    --cc=ebiggers@kernel.org \
    --cc=kvm@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=peng.hao2@zte.com.cn \
    --cc=rkrcmar@redhat.com \
    --cc=syzbot+f87f60bb6f13f39b54e3@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox