lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170228005655.GK17615@umbus.fritz.box>
Date:   Tue, 28 Feb 2017 11:56:55 +1100
From:   David Gibson <david@...son.dropbear.id.au>
To:     paulus@...ba.org
Cc:     dan.carpenter@...cle.com, linuxppc-dev@...ts.ozlabs.org,
        kvm-ppc@...r.kernel.org, kvm@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] KVM: Prevent double-free on HPT resize commit path

On Wed, Feb 15, 2017 at 02:40:04PM +1100, David Gibson wrote:
> resize_hpt_release(), called once the HPT resize of a KVM guest is
> completed (successfully or unsuccessfully) free()s the state structure for
> the resize.  It is currently not safe to call with a NULL pointer.
> 
> However, one of the error paths in kvm_vm_ioctl_resize_hpt_commit() can
> invoke it with a NULL pointer.  This will occur if userspace improperly
> invokes KVM_PPC_RESIZE_HPT_COMMIT without previously calling
> KVM_PPC_RESIZE_HPT_PREPARE, or if it calls COMMIT twice without an
> intervening PREPARE.
> 
> To fix this potential crash bug - and maybe others like it, make it safe
> (and a no-op) to call resize_hpt_release() with a NULL resize pointer.
> 
> Found by Dan Carpenter with a static checker.
> 
> Reported-by: Dan Carpenter <dan.carpenter@...cle.com>
> Signed-off-by: David Gibson <david@...son.dropbear.id.au>

Ping,

Paul have you taken this one?

> ---
>  arch/powerpc/kvm/book3s_64_mmu_hv.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/arch/powerpc/kvm/book3s_64_mmu_hv.c b/arch/powerpc/kvm/book3s_64_mmu_hv.c
> index 013552f..72ccac2 100644
> --- a/arch/powerpc/kvm/book3s_64_mmu_hv.c
> +++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c
> @@ -1407,6 +1407,9 @@ static void resize_hpt_release(struct kvm *kvm, struct kvm_resize_hpt *resize)
>  {
>  	BUG_ON(kvm->arch.resize_hpt != resize);
>  
> +	if (!resize)
> +		return;
> +
>  	if (resize->hpt.virt)
>  		kvmppc_free_hpt(&resize->hpt);
>  

-- 
David Gibson			| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you.  NOT _the_ _other_
				| _way_ _around_!
http://www.ozlabs.org/~dgibson

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ