From: Greg KH <greg@kroah.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: sawlani@google.com, stable@vger.kernel.org,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Marc Zyngier" <marc.zyngier@arm.com>,
"Christoffer Dall" <christoffer.dall@linaro.org>,
"Wanpeng Li" <wanpeng.li@hotmail.com>
Subject: Re: [PATCH] KVM: Fix stack-out-of-bounds read in write_mmio
Date: Wed, 10 Jan 2018 16:04:53 +0100 [thread overview]
Message-ID: <20180110150453.GB29193@kroah.com> (raw)
In-Reply-To: <61fdcd6f-184c-8a73-46cc-977170fb4d00@redhat.com>
On Wed, Jan 10, 2018 at 02:06:38PM +0100, Paolo Bonzini wrote:
> On 10/01/2018 13:14, Greg KH wrote:
> > On Tue, Jan 09, 2018 at 07:24:27AM -0800, sawlani@google.com wrote:
> >> From: Pradeep Sawlani <sawlani@google.com>
> >>
> >> commit e39d200fa5bf5b94a0948db0dae44c1b73b84a56 upstream.
> >>
> >> Reported by syzkaller:
> >>
> >> BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
> >> Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
> >>
> >> CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18
> >> Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
> >> Call Trace:
> >> dump_stack+0xab/0xe1
> >> print_address_description+0x6b/0x290
> >> kasan_report+0x28a/0x370
> >> write_mmio+0x11e/0x270 [kvm]
> >> emulator_read_write_onepage+0x311/0x600 [kvm]
> >> emulator_read_write+0xef/0x240 [kvm]
> >> emulator_fix_hypercall+0x105/0x150 [kvm]
> >> em_hypercall+0x2b/0x80 [kvm]
> >> x86_emulate_insn+0x2b1/0x1640 [kvm]
> >> x86_emulate_instruction+0x39a/0xb90 [kvm]
> >> handle_exception+0x1b4/0x4d0 [kvm_intel]
> >> vcpu_enter_guest+0x15a0/0x2640 [kvm]
> >> kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
> >> kvm_vcpu_ioctl+0x479/0x880 [kvm]
> >> do_vfs_ioctl+0x142/0x9a0
> >> SyS_ioctl+0x74/0x80
> >> entry_SYSCALL_64_fastpath+0x23/0x9a
> >>
> >> The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
> >> to the guest memory, however, write_mmio tracepoint always prints 8 bytes
> >> through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
> >> leaks 5 bytes from the kernel stack (CVE-2017-17741). This patch fixes
> >> it by just accessing the bytes which we operate on.
> >>
> >> Before patch:
> >>
> >> syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
> >>
> >> After patch:
> >>
> >> syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
> >>
> >> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> >> Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
> >> Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
> >> Tested-by: Marc Zyngier <marc.zyngier@arm.com>
> >> Cc: Paolo Bonzini <pbonzini@redhat.com>
> >> Cc: Radim Krčmář <rkrcmar@redhat.com>
> >> Cc: Marc Zyngier <marc.zyngier@arm.com>
> >> Cc: Christoffer Dall <christoffer.dall@linaro.org>
> >> Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
> >> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> >> Signed-off-by: Pradeep Sawlani <sawlani@google.com>
> >> ---
> >> arch/arm/kvm/mmio.c | 6 +++---
> >> arch/x86/kvm/x86.c | 8 ++++----
> >> include/trace/events/kvm.h | 7 +++++--
> >> 3 files changed, 12 insertions(+), 9 deletions(-)
> >
> > What stable kernel(s) do you want this applied to?
>
> This is a kernel memory leak, I think it only really matters in kernels
> that have unprivileged eBPF. But that went in for 4.4, so all of
> 4.4/4.9/4.14.
Ok, thanks. Looks like someone else just asked for this as well, and I
had already queued it up a few hours ago :)
greg k-h
next prev parent reply other threads:[~2018-01-10 15:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-09 15:24 [PATCH] KVM: Fix stack-out-of-bounds read in write_mmio sawlani
2018-01-10 12:14 ` Greg KH
2018-01-10 13:06 ` Paolo Bonzini
2018-01-10 15:04 ` Greg KH [this message]
-- strict thread matches above, loose matches on Subject: below --
2018-01-09 14:15 sawlani
2018-01-09 14:25 ` Greg KH
[not found] ` <CAKvfMH+JNnfiTzxqz8-DFevkYkphwujUL0nyigGyjqpHUwxm0A@mail.gmail.com>
2018-01-09 14:44 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180110150453.GB29193@kroah.com \
--to=greg@kroah.com \
--cc=christoffer.dall@linaro.org \
--cc=marc.zyngier@arm.com \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=sawlani@google.com \
--cc=stable@vger.kernel.org \
--cc=wanpeng.li@hotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).