From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:53424 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752330AbeAIOZp (ORCPT
        <rfc822;stable@vger.kernel.org>); Tue, 9 Jan 2018 09:25:45 -0500
Date: Tue, 9 Jan 2018 15:25:45 +0100
From: Greg KH <gregkh@linuxfoundation.org>
To: sawlani@google.com
Cc: stable@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>,
        Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@redhat.com>,
        Marc Zyngier <marc.zyngier@arm.com>,
        Christoffer Dall <christoffer.dall@linaro.org>,
        Wanpeng Li <wanpeng.li@hotmail.com>
Subject: Re: [PATCH] KVM: Fix stack-out-of-bounds read in write_mmio
Message-ID: <20180109142545.GA20221@kroah.com>
References: <20180109141527.218444-1-sawlani@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20180109141527.218444-1-sawlani@google.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Tue, Jan 09, 2018 at 06:15:27AM -0800, sawlani@google.com wrote:
> From: Pradeep Sawlani <sawlani@google.com>
> 
> commit e39d200fa5bf5b94a0948db0dae44c1b73b84a56 upstream.
> 
> Reported by syzkaller:
> 
>   BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
>   Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
> 
>   CPU: 6 PID: 32298 Comm: syz-executor Tainted: G           OE    4.15.0-rc2+ #18
>   Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
>   Call Trace:
>    dump_stack+0xab/0xe1
>    print_address_description+0x6b/0x290
>    kasan_report+0x28a/0x370
>    write_mmio+0x11e/0x270 [kvm]
>    emulator_read_write_onepage+0x311/0x600 [kvm]
>    emulator_read_write+0xef/0x240 [kvm]
>    emulator_fix_hypercall+0x105/0x150 [kvm]
>    em_hypercall+0x2b/0x80 [kvm]
>    x86_emulate_insn+0x2b1/0x1640 [kvm]
>    x86_emulate_instruction+0x39a/0xb90 [kvm]
>    handle_exception+0x1b4/0x4d0 [kvm_intel]
>    vcpu_enter_guest+0x15a0/0x2640 [kvm]
>    kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
>    kvm_vcpu_ioctl+0x479/0x880 [kvm]
>    do_vfs_ioctl+0x142/0x9a0
>    SyS_ioctl+0x74/0x80
>    entry_SYSCALL_64_fastpath+0x23/0x9a
> 
> The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
> to the guest memory, however, write_mmio tracepoint always prints 8 bytes
> through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
> leaks 5 bytes from the kernel stack (CVE-2017-17741).  This patch fixes
> it by just accessing the bytes which we operate on.
> 
> Before patch:
> 
> syz-executor-5567  [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
> 
> After patch:
> 
> syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
> 
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
> Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
> Tested-by: Marc Zyngier <marc.zyngier@arm.com>
> Cc: Paolo Bonzini <pbonzini@redhat.com>
> Cc: Radim Krčmář <rkrcmar@redhat.com>
> Cc: Marc Zyngier <marc.zyngier@arm.com>
> Cc: Christoffer Dall <christoffer.dall@linaro.org>
> Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> [bwh: Backported to 4.4:
>  -Adjust filename]
> Signed-off-by: Pradeep Sawlani <sawlani@google.com>

What kernel(s) do you want this applied to?  and who is "bwh" here?

thanks,

greg k-h