From: Paolo Bonzini <pbonzini@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Philippe Mathieu-Daudé" <philmd@redhat.com>,
"Igor Mammedov" <imammedo@redhat.com>,
"Pan Nengyuan" <pannengyuan@huawei.com>,
"Euler Robot" <euler.robot@huawei.com>
Subject: [PULL 047/115] i386/kvm: fix a use-after-free when vcpu plug/unplug
Date: Thu, 11 Jun 2020 15:43:41 -0400 [thread overview]
Message-ID: <20200611194449.31468-48-pbonzini@redhat.com> (raw)
In-Reply-To: <20200611194449.31468-1-pbonzini@redhat.com>
From: Pan Nengyuan <pannengyuan@huawei.com>
When we hotplug vcpus, cpu_update_state is added to vm_change_state_head
in kvm_arch_init_vcpu(). But it forgot to delete in kvm_arch_destroy_vcpu() after
unplug. Then it will cause a use-after-free access. This patch delete it in
kvm_arch_destroy_vcpu() to fix that.
Reproducer:
virsh setvcpus vm1 4 --live
virsh setvcpus vm1 2 --live
virsh suspend vm1
virsh resume vm1
The UAF stack:
==qemu-system-x86_64==28233==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e00002e798 at pc 0x5573c6917d9e bp 0x7fff07139e50 sp 0x7fff07139e40
WRITE of size 1 at 0x62e00002e798 thread T0
#0 0x5573c6917d9d in cpu_update_state /mnt/sdb/qemu/target/i386/kvm.c:742
#1 0x5573c699121a in vm_state_notify /mnt/sdb/qemu/vl.c:1290
#2 0x5573c636287e in vm_prepare_start /mnt/sdb/qemu/cpus.c:2144
#3 0x5573c6362927 in vm_start /mnt/sdb/qemu/cpus.c:2150
#4 0x5573c71e8304 in qmp_cont /mnt/sdb/qemu/monitor/qmp-cmds.c:173
#5 0x5573c727cb1e in qmp_marshal_cont qapi/qapi-commands-misc.c:835
#6 0x5573c7694c7a in do_qmp_dispatch /mnt/sdb/qemu/qapi/qmp-dispatch.c:132
#7 0x5573c7694c7a in qmp_dispatch /mnt/sdb/qemu/qapi/qmp-dispatch.c:175
#8 0x5573c71d9110 in monitor_qmp_dispatch /mnt/sdb/qemu/monitor/qmp.c:145
#9 0x5573c71dad4f in monitor_qmp_bh_dispatcher /mnt/sdb/qemu/monitor/qmp.c:234
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Pan Nengyuan <pannengyuan@huawei.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-Id: <20200513132630.13412-1-pannengyuan@huawei.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
target/i386/cpu.h | 1 +
target/i386/kvm.c | 4 +++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 00d1f4f013..37572bd437 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -1634,6 +1634,7 @@ struct X86CPU {
CPUNegativeOffsetState neg;
CPUX86State env;
+ VMChangeStateEntry *vmsentry;
uint64_t ucode_rev;
diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index 95bbeb424b..ef2e0a81dd 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -1741,7 +1741,7 @@ int kvm_arch_init_vcpu(CPUState *cs)
}
}
- qemu_add_vm_change_state_handler(cpu_update_state, env);
+ cpu->vmsentry = qemu_add_vm_change_state_handler(cpu_update_state, env);
c = cpuid_find_entry(&cpuid_data.cpuid, 1, 0);
if (c) {
@@ -1852,6 +1852,8 @@ int kvm_arch_destroy_vcpu(CPUState *cs)
env->nested_state = NULL;
}
+ qemu_del_vm_change_state_handler(cpu->vmsentry);
+
return 0;
}
--
2.26.2
next prev parent reply other threads:[~2020-06-11 20:25 UTC|newest]
Thread overview: 126+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-11 19:42 [PULL 000/115] Huge miscellaneous pull request for 2020-06-11 Paolo Bonzini
2020-06-11 19:42 ` [PULL 001/115] docker.py/build: support -t and -f arguments Paolo Bonzini
2020-06-11 19:42 ` [PULL 002/115] docker.py/build: support binary files in --extra-files Paolo Bonzini
2020-06-11 19:42 ` [PULL 003/115] run-coverity-scan: get Coverity token and email from special git config section Paolo Bonzini
2020-06-11 19:42 ` [PULL 004/115] run-coverity-scan: use docker.py Paolo Bonzini
2020-06-11 19:42 ` [PULL 005/115] run-coverity-scan: add --no-update-tools option Paolo Bonzini
2020-06-11 19:43 ` [PULL 006/115] run-coverity-scan: use --no-update-tools in docker run Paolo Bonzini
2020-06-11 19:43 ` [PULL 007/115] run-coverity-scan: download tools outside the container Paolo Bonzini
2020-06-11 19:43 ` [PULL 008/115] run-coverity-scan: support --update-tools-only --docker Paolo Bonzini
2020-06-11 19:43 ` [PULL 009/115] vl.c: run preconfig loop before creating default RAM backend Paolo Bonzini
2020-06-11 19:43 ` [PULL 010/115] numa: prevent usage of -M memory-backend and -numa memdev at the same time Paolo Bonzini
2020-06-11 19:43 ` [PULL 011/115] icount: fix shift=auto for record/replay Paolo Bonzini
2020-06-11 19:43 ` [PULL 012/115] qom/object: Fix object_child_foreach_recursive() return value Paolo Bonzini
2020-06-11 19:43 ` [PULL 013/115] target/i386: Fix OUTL debug output Paolo Bonzini
2020-06-11 19:43 ` [PULL 014/115] qom/object: Move Object typedef to 'qemu/typedefs.h' Paolo Bonzini
2020-06-11 19:43 ` [PULL 015/115] io/task: Move 'qom/object.h' header to source Paolo Bonzini
2020-06-11 19:43 ` [PULL 016/115] Makefile: Let the 'help' target list the helper targets Paolo Bonzini
2020-06-11 19:43 ` [PULL 017/115] hyperv: expose API to determine if synic is enabled Paolo Bonzini
2020-06-11 19:43 ` [PULL 018/115] vmbus: add vmbus protocol definitions Paolo Bonzini
2020-06-11 19:43 ` [PULL 019/115] vmbus: vmbus implementation Paolo Bonzini
2020-06-11 19:43 ` [PULL 020/115] i386:pc: whitelist dynamic vmbus-bridge Paolo Bonzini
2020-06-11 19:43 ` [PULL 021/115] i386: Hyper-V VMBus ACPI DSDT entry Paolo Bonzini
2020-06-11 19:43 ` [PULL 022/115] vmbus: add infrastructure to save/load vmbus requests Paolo Bonzini
2020-06-11 19:43 ` [PULL 023/115] target/i386: Fix the CPUID leaf CPUID_Fn80000008 Paolo Bonzini
2020-06-11 19:43 ` [PULL 024/115] target/i386: fix phadd* with identical destination and source register Paolo Bonzini
2020-06-11 19:43 ` [PULL 025/115] hw/i386/vmport: Add reference to VMware open-vm-tools Paolo Bonzini
2020-06-11 19:43 ` [PULL 026/115] hw/i386/vmport: Add device properties Paolo Bonzini
2020-06-11 19:43 ` [PULL 027/115] hw/i386/vmport: Propagate IOPort read to vCPU EAX register Paolo Bonzini
2020-06-23 8:46 ` Laurent Vivier
2020-06-23 9:34 ` Liran Alon
2020-06-23 10:25 ` Paolo Bonzini
2020-06-23 10:26 ` Laurent Vivier
2020-06-11 19:43 ` [PULL 028/115] hw/i386/vmport: Set EAX to -1 on failed and unsupported commands Paolo Bonzini
2020-06-11 19:43 ` [PULL 029/115] hw/i386/vmport: Introduce vmware-vmx-version property Paolo Bonzini
2020-06-11 19:43 ` [PULL 030/115] hw/i386/vmport: Report vmware-vmx-type in CMD_GETVERSION Paolo Bonzini
2020-06-11 19:43 ` [PULL 031/115] hw/i386/vmport: Introduce vmport.h Paolo Bonzini
2020-06-11 19:43 ` [PULL 032/115] hw/i386/vmport: Define enum for all commands Paolo Bonzini
2020-06-11 19:43 ` [PULL 033/115] hw/i386/vmport: Add support for CMD_GETBIOSUUID Paolo Bonzini
2020-06-11 19:43 ` [PULL 034/115] hw/i386/vmport: Add support for CMD_GET_VCPU_INFO Paolo Bonzini
2020-06-11 19:43 ` [PULL 035/115] hw/i386/vmport: Allow x2apic without IR Paolo Bonzini
2020-06-11 19:43 ` [PULL 036/115] i386/cpu: Store LAPIC bus frequency in CPU structure Paolo Bonzini
2020-06-11 19:43 ` [PULL 037/115] hw/i386/vmport: Add support for CMD_GETHZ Paolo Bonzini
2020-06-11 19:43 ` [PULL 038/115] hw/i386/vmport: Assert vmport initialized before registering commands Paolo Bonzini
2020-06-11 19:43 ` [PULL 039/115] accel: Move Xen accelerator code under accel/xen/ Paolo Bonzini
2020-06-11 19:43 ` [PULL 040/115] qom: remove index from object_resolve_abs_path() Paolo Bonzini
2020-06-11 19:43 ` [PULL 041/115] qom/object: factor out the initialization of hash table of properties Paolo Bonzini
2020-06-11 19:43 ` [PULL 042/115] qom/object: simplify type_initialize_interface() Paolo Bonzini
2020-06-11 19:43 ` [PULL 043/115] qom/object: pass (Object *) to object_initialize_with_type() Paolo Bonzini
2020-06-11 19:43 ` [PULL 044/115] qom/container: remove .instance_size initializer from container_info Paolo Bonzini
2020-06-11 19:43 ` [PULL 045/115] cpus: Fix botched configure_icount() error API violation fix Paolo Bonzini
2020-06-11 19:43 ` [PULL 046/115] hax: Dynamic allocate vcpu state structure Paolo Bonzini
2020-06-11 19:43 ` Paolo Bonzini [this message]
2020-06-11 19:43 ` [PULL 048/115] megasas: use unsigned type for reply_queue_head and check index Paolo Bonzini
2020-06-11 19:43 ` [PULL 049/115] megasas: avoid NULL pointer dereference Paolo Bonzini
2020-06-11 19:43 ` [PULL 050/115] megasas: use unsigned type for positive numeric fields Paolo Bonzini
2020-06-11 19:43 ` [PULL 051/115] target/i386: implement special cases for fxtract Paolo Bonzini
2020-06-11 19:43 ` [PULL 052/115] target/i386: fix fscale handling of signaling NaN Paolo Bonzini
2020-06-11 19:43 ` [PULL 053/115] target/i386: fix fscale handling of invalid exponent encodings Paolo Bonzini
2020-06-11 19:43 ` [PULL 054/115] target/i386: fix fscale handling of infinite exponents Paolo Bonzini
2020-06-11 19:43 ` [PULL 055/115] target/i386: fix fscale handling of rounding precision Paolo Bonzini
2020-06-11 19:43 ` [PULL 056/115] exec: Let address_space_read/write_cached() propagate MemTxResult Paolo Bonzini
2020-06-11 19:43 ` [PULL 057/115] exec: Propagate cpu_memory_rw_debug() error Paolo Bonzini
2020-06-11 19:43 ` [PULL 058/115] disas: Let disas::read_memory() handler return EIO on error Paolo Bonzini
2020-06-11 19:43 ` [PULL 059/115] hw/elf_ops: Do not ignore write failures when loading ELF Paolo Bonzini
2020-06-11 19:43 ` [PULL 060/115] target/i386: fix floating-point load-constant rounding Paolo Bonzini
2020-06-11 19:43 ` [PULL 061/115] target/i386: fix fxam handling of invalid encodings Paolo Bonzini
2020-06-11 19:43 ` [PULL 062/115] target/i386: fix fbstp handling of negative zero Paolo Bonzini
2020-06-11 19:43 ` [PULL 063/115] target/i386: fix fbstp handling of out-of-range values Paolo Bonzini
2020-06-11 19:43 ` [PULL 064/115] target/i386: fix fisttpl, fisttpll " Paolo Bonzini
2020-06-11 19:43 ` [PULL 065/115] hw/i386/vmport: Allow QTest use without crashing Paolo Bonzini
2020-06-11 19:44 ` [PULL 066/115] x86/cpu: Enable AVX512_VP2INTERSECT cpu feature Paolo Bonzini
2020-06-11 19:44 ` [PULL 067/115] vfio/pci: Use kvm_irqchip_add_irqfd_notifier_gsi() for irqfds Paolo Bonzini
2020-06-11 19:44 ` [PULL 068/115] KVM: Pass EventNotifier into kvm_irqchip_assign_irqfd Paolo Bonzini
2020-06-11 19:44 ` [PULL 069/115] KVM: Kick resamplefd for split kernel irqchip Paolo Bonzini
2020-06-11 19:44 ` [PULL 070/115] chardev/char-socket: Properly make qio connections non blocking Paolo Bonzini
2020-06-11 19:44 ` [PULL 071/115] tests: machine-none-test: Enable MicroBlaze testing Paolo Bonzini
2020-06-11 19:44 ` [PULL 072/115] hw/i386/amd_iommu: Fix the reserved bits definition of IOMMU commands Paolo Bonzini
2020-06-11 19:44 ` [PULL 073/115] replay: implement fair mutex Paolo Bonzini
2020-06-11 19:44 ` [PULL 074/115] i386: Remove unused define's from hax and hvf Paolo Bonzini
2020-06-11 19:44 ` [PULL 075/115] target/i386: define a new MSR based feature word - FEAT_PERF_CAPABILITIES Paolo Bonzini
2020-06-11 19:44 ` [PULL 076/115] util/oslib: Returns the real thread identifier on FreeBSD and NetBSD Paolo Bonzini
2020-06-11 19:44 ` [PULL 077/115] memory: Make 'info mtree' not display disabled regions by default Paolo Bonzini
2020-06-11 19:44 ` [PULL 078/115] qemu/thread: Mark qemu_thread_exit() with 'noreturn' attribute Paolo Bonzini
2020-06-11 19:44 ` [PULL 079/115] configure: Do not ignore malloc value Paolo Bonzini
2020-06-11 19:44 ` [PULL 080/115] exec: set map length to zero when returning NULL Paolo Bonzini
2020-06-11 19:44 ` [PULL 081/115] target/i386: fix IEEE x87 floating-point exception raising Paolo Bonzini
2020-06-11 19:44 ` [PULL 082/115] target/i386: correct fix for pcmpxstrx substring search Paolo Bonzini
2020-06-11 19:44 ` [PULL 083/115] sysemu/accel: Restrict machine methods to system-mode Paolo Bonzini
2020-06-11 19:44 ` [PULL 084/115] sysemu/tcg: Only declare tcg_allowed when TCG is available Paolo Bonzini
2020-06-11 19:44 ` [PULL 085/115] sysemu/hvf: Only declare hvf_allowed when HVF " Paolo Bonzini
2020-06-11 19:44 ` [PULL 086/115] target/ppc: Restrict PPCVirtualHypervisorClass to system-mode Paolo Bonzini
2020-06-11 19:44 ` [PULL 087/115] i386: hvf: Move HVFState definition into hvf Paolo Bonzini
2020-06-11 19:44 ` [PULL 088/115] i386: hvf: Drop useless declarations in sysemu Paolo Bonzini
2020-06-11 19:44 ` [PULL 089/115] i386: hvf: Drop unused variable Paolo Bonzini
2020-06-11 19:44 ` [PULL 090/115] i386: hvf: Use ins_len to advance IP Paolo Bonzini
2020-06-11 19:44 ` [PULL 091/115] i386: hvf: Use IP from CPUX86State Paolo Bonzini
2020-06-11 19:44 ` [PULL 092/115] i386: hvf: Drop fetch_rip from HVFX86EmulatorState Paolo Bonzini
2020-06-11 19:44 ` [PULL 093/115] i386: hvf: Drop rflags " Paolo Bonzini
2020-06-11 19:44 ` [PULL 094/115] i386: hvf: Drop copy of RFLAGS defines Paolo Bonzini
2020-06-11 19:44 ` [PULL 095/115] i386: hvf: Drop regs in HVFX86EmulatorState Paolo Bonzini
2020-06-11 19:44 ` [PULL 096/115] i386: hvf: Move lazy_flags into CPUX86State Paolo Bonzini
2020-06-11 19:44 ` [PULL 097/115] i386: hvf: Move mmio_buf " Paolo Bonzini
2020-06-11 19:44 ` [PULL 098/115] i386: hvf: Drop HVFX86EmulatorState Paolo Bonzini
2020-06-11 19:44 ` [PULL 099/115] xen: fix build without pci passthrough Paolo Bonzini
2020-06-11 19:44 ` [PULL 100/115] target/i386: sev: Remove unused QSevGuestInfoClass Paolo Bonzini
2020-06-11 19:44 ` [PULL 101/115] target/i386: sev: Move local structure definitions into .c file Paolo Bonzini
2020-06-11 19:44 ` [PULL 102/115] target/i386: sev: Rename QSevGuestInfo Paolo Bonzini
2020-06-11 19:44 ` [PULL 103/115] target/i386: sev: Embed SEVState in SevGuestState Paolo Bonzini
2020-06-11 19:44 ` [PULL 104/115] target/i386: sev: Partial cleanup to sev_state global Paolo Bonzini
2020-06-11 19:44 ` [PULL 105/115] target/i386: sev: Remove redundant cbitpos and reduced_phys_bits fields Paolo Bonzini
2020-06-11 19:44 ` [PULL 106/115] target/i386: sev: Remove redundant policy field Paolo Bonzini
2020-06-11 19:44 ` [PULL 107/115] target/i386: sev: Remove redundant handle field Paolo Bonzini
2020-06-11 19:44 ` [PULL 108/115] target/i386: sev: Unify SEVState and SevGuestState Paolo Bonzini
2020-06-11 19:44 ` [PULL 109/115] checkpatch: reversed logic with acpi test checks Paolo Bonzini
2020-06-11 19:44 ` [PULL 110/115] exec/memory: Remove unused MemoryRegionMmio type Paolo Bonzini
2020-06-11 19:44 ` [PULL 111/115] hw/usb: Move device-specific declarations to new 'hcd-musb.h' header Paolo Bonzini
2020-06-11 19:44 ` [PULL 112/115] exec/cpu-common: Move MUSB specific typedefs to 'hw/usb/hcd-musb.h' Paolo Bonzini
2020-06-11 19:44 ` [PULL 113/115] replay: fix replay shutdown for console mode Paolo Bonzini
2020-06-11 19:44 ` [PULL 114/115] stubs: move Xen stubs to accel/ Paolo Bonzini
2020-06-11 19:44 ` [PULL 115/115] target/i386: Remove obsolete TODO file Paolo Bonzini
2020-06-12 2:00 ` [PULL 000/115] Huge miscellaneous pull request for 2020-06-11 no-reply
2020-06-12 13:09 ` Peter Maydell
2020-06-12 13:33 ` Paolo Bonzini
2020-06-12 13:46 ` Roman Bolshakov
2020-06-12 14:53 ` Roman Bolshakov
2020-06-12 15:14 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200611194449.31468-48-pbonzini@redhat.com \
--to=pbonzini@redhat.com \
--cc=euler.robot@huawei.com \
--cc=imammedo@redhat.com \
--cc=pannengyuan@huawei.com \
--cc=philmd@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).