From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.7 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS, USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 47A17C43381 for ; Thu, 21 Feb 2019 04:10:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 11011214AF for ; Thu, 21 Feb 2019 04:10:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1550722221; bh=iEey6La3xWNBgsdc8wy5iaGuS/YKjYa3lcvUruND3UM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=NLe/Tl0YOWVQalg3lGVO0wJWtnWZV4wOzzkcPc2DevqOSpTrUVqOnFrYgMXU09IOK ZWYKIfda5pYL+YZNNfyi3gL3k5Pyjm6RJNTO4GHbphDI9RhCk1eOguhN83W2tBTsCz CEnWeG9+5q7Ka6AZVK3/3oITzxyy+4L8DYrq93LA= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726121AbfBUEKU (ORCPT ); Wed, 20 Feb 2019 23:10:20 -0500 Received: from mail.kernel.org ([198.145.29.99]:54124 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726113AbfBUEKU (ORCPT ); Wed, 20 Feb 2019 23:10:20 -0500 Received: from localhost (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 952262147A; Thu, 21 Feb 2019 04:10:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1550722219; bh=iEey6La3xWNBgsdc8wy5iaGuS/YKjYa3lcvUruND3UM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=r6gLw1/IWUOeSawEcRF4DPu2EVcHgorChSNeVmHX03NM/SspolHW0LhwONLlfFja9 MV0tmPAYuP1I/YgowZ67BWhw5GyxSZRM880974jMuBwy4Zexpcxkf9GDq4utrWEV78 JbVk7IsMHRYVkO3NyC47tHs9qod1lFAQkURrcIqI= Date: Wed, 20 Feb 2019 23:10:18 -0500 From: Sasha Levin To: Jann Horn Cc: stable@vger.kernel.org, Paolo Bonzini Subject: Re: [PATCH 3.18,4.4] kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)g Message-ID: <20190221041018.GC10616@sasha-vm> References: <20190218165328.100978-1-jannh@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20190218165328.100978-1-jannh@google.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org On Mon, Feb 18, 2019 at 05:53:28PM +0100, Jann Horn wrote: >commit cfa39381173d5f969daf43582c95ad679189cbc9 upstream. > >kvm_ioctl_create_device() does the following: > >1. creates a device that holds a reference to the VM object (with a borrowed > reference, the VM's refcount has not been bumped yet) >2. initializes the device >3. transfers the reference to the device to the caller's file descriptor table >4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real > reference > >The ownership transfer in step 3 must not happen before the reference to the VM >becomes a proper, non-borrowed reference, which only happens in step 4. >After step 3, an attacker can close the file descriptor and drop the borrowed >reference, which can cause the refcount of the kvm object to drop to zero. > >This means that we need to grab a reference for the device before >anon_inode_getfd(), otherwise the VM can disappear from under us. > >Fixes: 852b6d57dc7f ("kvm: add device control API") >Cc: stable@kernel.org >Signed-off-by: Jann Horn Hi Jann, You've dropped Paolo's S-O-B line, was it on purpose? -- Thanks, Sasha