lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4CCC2D11.7090109@web.de>
Date:	Sat, 30 Oct 2010 16:34:57 +0200
From:	Jan Kiszka <jan.kiszka@....de>
To:	Vasiliy Kulikov <segooon@...il.com>
CC:	kernel-janitors@...r.kernel.org, Avi Kivity <avi@...hat.com>,
	Marcelo Tosatti <mtosatti@...hat.com>,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
	kvm@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] x86: kvm: fix information leak to userland

Am 30.10.2010 16:11, Vasiliy Kulikov wrote:
> Structure kvm_ppc_pvinfo is copied to userland with pad field
> unitialized.  Structure kvm_clock_data is copied to userland with
> flags and pad fields unitialized.  It leads to leaking of contents
> of kernel stack memory.

This description only partially matches your patch, please fix.

> 
> Signed-off-by: Vasiliy Kulikov <segooon@...il.com>
> ---
>  I cannot compile this driver, so it is not tested at all.

Why? It should be compilable (provided you have a x86 toolchain).

> 
>  As it is not compilable, I've missed and typed wrong var name in v1, sorry.
> 
>  arch/x86/kvm/x86.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index b0818f6..261f3d0 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -2896,6 +2896,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp,
>  	case KVM_GET_DEBUGREGS: {
>  		struct kvm_debugregs dbgregs;
>  
> +		memset(&dbgregs, 0, sizeof(dbgregs));
>  		kvm_vcpu_ioctl_x86_get_debugregs(vcpu, &dbgregs);
>  
>  		r = -EFAULT;
> @@ -3481,11 +3482,11 @@ long kvm_arch_vm_ioctl(struct file *filp,
>  		struct kvm_clock_data user_ns;
>  		u64 now_ns;
>  
> +		memset(&user_ns, 0, sizeof(user_ns));
>  		local_irq_disable();
>  		now_ns = get_kernel_ns();
>  		user_ns.clock = kvm->arch.kvmclock_offset + now_ns;
>  		local_irq_enable();
> -		user_ns.flags = 0;
>  
>  		r = -EFAULT;
>  		if (copy_to_user(argp, &user_ns, sizeof(user_ns)))

I would rather clear the padding/reserved fields (in both cases). No
need to double-initialize properly set fields.

There are more interfaces in KVM for obtaining data from the kernel via
padded structures. Did you check them all (kvm_vcpu_events come to my mind)?

Nevertheless, looks like a worthwhile hardening of the KVM interfaces.

Thanks,
Jan


Download attachment "signature.asc" of type "application/pgp-signature" (260 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ