lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 4 Dec 2017 16:43:01 +0200
From:   Serhii Popovych <spopovyc@...hat.com>
To:     David Gibson <david@...son.dropbear.id.au>
Cc:     linux-kernel@...r.kernel.org, michael@...erman.id.au,
        paulus@...ba.org, linuxppc-dev@...ts.ozlabs.org,
        kvm-ppc@...r.kernel.org
Subject: Re: [PATCH 0/4] Fix use after free in HPT resizing code and related
 minor improvements

David Gibson wrote:
> On Wed, Nov 29, 2017 at 11:38:22AM -0500, Serhii Popovych wrote:
>> It is possible to trigger use after free during HPT resize
>> causing host kernel to crash. More details and analysis of
>> the problem can be found in change with corresponding subject
>> (KVM: PPC: Book3S HV: Fix use after free in case of multiple
>> resize requests).
>>
>> We need some changes to prepare for the fix, especially
>> make ->error in HPT resize instance single point for
>> tracking allocation state, improve kvmppc_allocate_hpt()
>> and kvmppc_free_hpt() so they can be used more safely.
>>
>> See individual commit description message to get more
>> information on changes presented.
> 
> I spoke with Paul Mackerras about these patches on IRC today.  We want
> this as a fix, ASAP, in 4.15.  However, he's uncomfortable with
> pushing some of extra cleanups which aren't necessary for the bug fix
> this late for 4.15, and was having trouble following what was the core
> of the fix.  He was also nervous about the addition of more BUG_ON()s.

Good, no problem, cleanups will be pushed additionally.

> 
> To avoid the round trip to Ukraine time and back, I've made revised
> versions of patches 1 & 3 which should apply standalone, replaced the
> BUG_ON()s with WARN_ON()s and revised the commit messages to better
> explain the crucial part of the fix.
> 
> However, I've run out of time to test them.

I did the same test as for this v1 series and found no problem with v2
you sent to me: it seems patch improving kvmppc_allocate_hpt() and
kvmppc_free_hpt() isn't actually necessary as I was thinking when
submitting v1.

> 
> Serhii,  I'll send you my revised patches shortly.  Can you please
> test them and repost.  Then you can rebase patches 2 & 4 from this
> series on top of the revised patches and post those separately (as a
> cleanup with less urgency than the actual fix).

Tested with same test case as with v1: no problem so far.

> 
> A couple of people have also suggested CCing kvm@...r.kernel.org on
> the next round in addition to the lists already included.
> 

Done.

-- 
Thanks,
Serhii



Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ