Re: [BUG]: bad usercopy in kvm_stats_read in mm/usercopy.c

Re: [BUG]: bad usercopy in kvm_stats_read in mm/usercopy.c

[Andrew Morton]

On Sun, 9 Jul 2023 14:32:09 -0700 Zheng Zhang <zheng.zhang@email.ucr.edu> wrote:

> Kees, Andrew, and  to whom it may concern:
> 
> Hello! We have found a bug in the Linux kernel version 6.2.0 by syzkaller
> with our own templates. It also produces a POC.
> Attached is the report, log, and reproducers generated by syzkaller
> Please let me know if there is any additional information that I can
> provide to help debug this issue.
> Thanks!

Let's cc the kvm mailing list.

Original email is at
https://lkml.kernel.org/r/CAC_GQSr3xzZaeZt85k_RCBd5kfiOve8qXo7a81Cq53LuVQ5r=Q@mail.gmail.com

Re: [BUG]: bad usercopy in kvm_stats_read in mm/usercopy.c

[Sean Christopherson]

On Mon, Jul 10, 2023, Andrew Morton wrote:
> On Sun, 9 Jul 2023 14:32:09 -0700 Zheng Zhang <zheng.zhang@email.ucr.edu> wrote:
> 
> > Kees, Andrew, and  to whom it may concern:
> > 
> > Hello! We have found a bug in the Linux kernel version 6.2.0 by syzkaller
> > with our own templates. It also produces a POC.
> > Attached is the report, log, and reproducers generated by syzkaller
> > Please let me know if there is any additional information that I can
> > provide to help debug this issue.
> > Thanks!
> 
> Let's cc the kvm mailing list.
> 
> Original email is at
> https://lkml.kernel.org/r/CAC_GQSr3xzZaeZt85k_RCBd5kfiOve8qXo7a81Cq53LuVQ5r=Q@mail.gmail.com

Yeaaaah.  We failed kernel programming 101.  KVM installs file descriptors to
let userspace read VM and vCPU stats, but doesn't grab a reference to the VM to
ensure the VM and its vCPUs are kept alive until the stats fds are closed.  I'll
send a patch.

Re: [BUG]: bad usercopy in kvm_stats_read in mm/usercopy.c

[Kees Cook]

On Tue, Jul 11, 2023 at 09:15:00AM -0700, Sean Christopherson wrote:
> On Mon, Jul 10, 2023, Andrew Morton wrote:
> > On Sun, 9 Jul 2023 14:32:09 -0700 Zheng Zhang <zheng.zhang@email.ucr.edu> wrote:
> > 
> > > Kees, Andrew, and  to whom it may concern:
> > > 
> > > Hello! We have found a bug in the Linux kernel version 6.2.0 by syzkaller
> > > with our own templates. It also produces a POC.
> > > Attached is the report, log, and reproducers generated by syzkaller
> > > Please let me know if there is any additional information that I can
> > > provide to help debug this issue.
> > > Thanks!
> > 
> > Let's cc the kvm mailing list.
> > 
> > Original email is at
> > https://lkml.kernel.org/r/CAC_GQSr3xzZaeZt85k_RCBd5kfiOve8qXo7a81Cq53LuVQ5r=Q@mail.gmail.com
> 
> Yeaaaah.  We failed kernel programming 101.  KVM installs file descriptors to
> let userspace read VM and vCPU stats, but doesn't grab a reference to the VM to
> ensure the VM and its vCPUs are kept alive until the stats fds are closed.  I'll
> send a patch.

Thanks! Another victory for hardened usercopy. :)

-- 
Kees Cook