From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B263AC169C4 for ; Mon, 11 Feb 2019 11:15:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 80F9A20844 for ; Mon, 11 Feb 2019 11:15:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1549883733; bh=SjJm0pEdw3usutZfzc5XTgxcnRNtdLzIxSk8vaKU0SQ=; h=Subject:To:Cc:From:Date:List-ID:From; b=S24dJOrxART5ZueHmL8KbtxmVrwngKiJkD9WbQFKh3RarnC0RDXMsSbDCbUapf3PA RMU0F2VG8tYC+xmsWKR57w7ZJ9YjSaKTTKDCkFJm/Dv08xddhfimhKo3ZI2u/9MOTy zzpQmjhfnmbhJ76lBa0WwWYlSY3Y+zAbWCfrki88= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726045AbfBKLPd (ORCPT ); Mon, 11 Feb 2019 06:15:33 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:38937 "EHLO out2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726041AbfBKLPc (ORCPT ); Mon, 11 Feb 2019 06:15:32 -0500 Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id CB571220E2; Mon, 11 Feb 2019 06:15:31 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Mon, 11 Feb 2019 06:15:31 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=SF9ZvH toGctdcpmMTELhX7fOPzN/IOCBI2FORjzKNrE=; b=tCsIvp17xbRp9ExiPkENER d8xv/QuiLuFbGB8HGgDTJxAdJ1ZChm8wY8WV9ZWKh4728pR3dyf2YYN3iMhuPQgT DW1LLfJXTePlVt+SIuUefnXyXuFxrCSh+I25AvE8R7kJ3MiL3WNa32WNMg48TEk8 8rQs21z0PTggQr1lNjarfPBIC6vnoZLvp/0r9wLF09xp5tHVERUSVfJUqbE8hZSb d4sX1tv7ko5EDvVhoO+CXiIK2XVzcFhSgyoIa9ZuxGvzd32cVnIyTBr9sK7FCbjR 3em7d7e71IBYW2cR6GG+jvUNM4Bdtbs/xWZRiti74QKzJlmWg18zrzUePJ6Xtmag == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedtledrleelgddtlecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfhuthenuceurghilhhouhhtmecufedt tdenucenucfjughrpefuvffhfffkgggtgfesthekredttddtlfenucfhrhhomhepoehgrh gvghhkhheslhhinhhugihfohhunhgurghtihhonhdrohhrgheqnecukfhppeekfedrkeei rdekledruddtjeenucfrrghrrghmpehmrghilhhfrhhomhepghhrvghgsehkrhhorghhrd gtohhmnecuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: from localhost (5356596b.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) by mail.messagingengine.com (Postfix) with ESMTPA id DDC3D10319; Mon, 11 Feb 2019 06:15:30 -0500 (EST) Subject: FAILED: patch "[PATCH] kvm: fix kvm_ioctl_create_device() reference counting" failed to apply to 4.4-stable tree To: jannh@google.com, pbonzini@redhat.com Cc: From: Date: Mon, 11 Feb 2019 12:15:29 +0100 Message-ID: <154988372969243@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From cfa39381173d5f969daf43582c95ad679189cbc9 Mon Sep 17 00:00:00 2001 From: Jann Horn Date: Sat, 26 Jan 2019 01:54:33 +0100 Subject: [PATCH] kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) kvm_ioctl_create_device() does the following: 1. creates a device that holds a reference to the VM object (with a borrowed reference, the VM's refcount has not been bumped yet) 2. initializes the device 3. transfers the reference to the device to the caller's file descriptor table 4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real reference The ownership transfer in step 3 must not happen before the reference to the VM becomes a proper, non-borrowed reference, which only happens in step 4. After step 3, an attacker can close the file descriptor and drop the borrowed reference, which can cause the refcount of the kvm object to drop to zero. This means that we need to grab a reference for the device before anon_inode_getfd(), otherwise the VM can disappear from under us. Fixes: 852b6d57dc7f ("kvm: add device control API") Cc: stable@kernel.org Signed-off-by: Jann Horn Signed-off-by: Paolo Bonzini diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 5ecea812cb6a..585845203db8 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -3000,8 +3000,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm, if (ops->init) ops->init(dev); + kvm_get_kvm(kvm); ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC); if (ret < 0) { + kvm_put_kvm(kvm); mutex_lock(&kvm->lock); list_del(&dev->vm_node); mutex_unlock(&kvm->lock); @@ -3009,7 +3011,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm, return ret; } - kvm_get_kvm(kvm); cd->fd = ret; return 0; }