From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out3-smtp.messagingengine.com ([66.111.4.27]:36513 "EHLO out3-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751674AbeAJPEw (ORCPT ); Wed, 10 Jan 2018 10:04:52 -0500 Date: Wed, 10 Jan 2018 16:04:53 +0100 From: Greg KH To: Paolo Bonzini Cc: sawlani@google.com, stable@vger.kernel.org, Radim =?utf-8?B?S3LEjW3DocWZ?= , Marc Zyngier , Christoffer Dall , Wanpeng Li Subject: Re: [PATCH] KVM: Fix stack-out-of-bounds read in write_mmio Message-ID: <20180110150453.GB29193@kroah.com> References: <20180109152427.239064-1-sawlani@google.com> <20180110121428.GA12483@kroah.com> <61fdcd6f-184c-8a73-46cc-977170fb4d00@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <61fdcd6f-184c-8a73-46cc-977170fb4d00@redhat.com> Sender: stable-owner@vger.kernel.org List-ID: On Wed, Jan 10, 2018 at 02:06:38PM +0100, Paolo Bonzini wrote: > On 10/01/2018 13:14, Greg KH wrote: > > On Tue, Jan 09, 2018 at 07:24:27AM -0800, sawlani@google.com wrote: > >> From: Pradeep Sawlani > >> > >> commit e39d200fa5bf5b94a0948db0dae44c1b73b84a56 upstream. > >> > >> Reported by syzkaller: > >> > >> BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm] > >> Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298 > >> > >> CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18 > >> Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016 > >> Call Trace: > >> dump_stack+0xab/0xe1 > >> print_address_description+0x6b/0x290 > >> kasan_report+0x28a/0x370 > >> write_mmio+0x11e/0x270 [kvm] > >> emulator_read_write_onepage+0x311/0x600 [kvm] > >> emulator_read_write+0xef/0x240 [kvm] > >> emulator_fix_hypercall+0x105/0x150 [kvm] > >> em_hypercall+0x2b/0x80 [kvm] > >> x86_emulate_insn+0x2b1/0x1640 [kvm] > >> x86_emulate_instruction+0x39a/0xb90 [kvm] > >> handle_exception+0x1b4/0x4d0 [kvm_intel] > >> vcpu_enter_guest+0x15a0/0x2640 [kvm] > >> kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm] > >> kvm_vcpu_ioctl+0x479/0x880 [kvm] > >> do_vfs_ioctl+0x142/0x9a0 > >> SyS_ioctl+0x74/0x80 > >> entry_SYSCALL_64_fastpath+0x23/0x9a > >> > >> The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall) > >> to the guest memory, however, write_mmio tracepoint always prints 8 bytes > >> through *(u64 *)val since kvm splits the mmio access into 8 bytes. This > >> leaks 5 bytes from the kernel stack (CVE-2017-17741). This patch fixes > >> it by just accessing the bytes which we operate on. > >> > >> Before patch: > >> > >> syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f > >> > >> After patch: > >> > >> syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f > >> > >> Reported-by: Dmitry Vyukov > >> Reviewed-by: Darren Kenny > >> Reviewed-by: Marc Zyngier > >> Tested-by: Marc Zyngier > >> Cc: Paolo Bonzini > >> Cc: Radim Krčmář > >> Cc: Marc Zyngier > >> Cc: Christoffer Dall > >> Signed-off-by: Wanpeng Li > >> Signed-off-by: Paolo Bonzini > >> Signed-off-by: Pradeep Sawlani > >> --- > >> arch/arm/kvm/mmio.c | 6 +++--- > >> arch/x86/kvm/x86.c | 8 ++++---- > >> include/trace/events/kvm.h | 7 +++++-- > >> 3 files changed, 12 insertions(+), 9 deletions(-) > > > > What stable kernel(s) do you want this applied to? > > This is a kernel memory leak, I think it only really matters in kernels > that have unprivileged eBPF. But that went in for 4.4, so all of > 4.4/4.9/4.14. Ok, thanks. Looks like someone else just asked for this as well, and I had already queued it up a few hours ago :) greg k-h