| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 9 Sep 2019 18:22:16 +0200
From: David Hildenbrand <david@...hat.com>
To: Igor Mammedov <imammedo@...hat.com>
Cc: linux-kernel@...r.kernel.org, borntraeger@...ibm.com,
cohuck@...hat.com
Subject: Re: [PATCH] kvm_s390_vm_start_migration: check dirty_bitmap before
using it as target for memset()
On 09.09.19 18:17, Igor Mammedov wrote:
> On Mon, 9 Sep 2019 17:47:37 +0200
> David Hildenbrand <david@...hat.com> wrote:
>
>> On 09.09.19 16:55, Igor Mammedov wrote:
>>> If userspace doesn't set KVM_MEM_LOG_DIRTY_PAGES on memslot before calling
>>> kvm_s390_vm_start_migration(), kernel will oops with:
>>>
>>
>> We usually have the subject in a "KVM: s390: ..." format. Like
>>
>> "KVM: s390: check dirty_bitmap before using it as target for memset()"
>>
>>> Unable to handle kernel pointer dereference in virtual kernel address space
>>> Failing address: 0000000000000000 TEID: 0000000000000483
>>> Fault in home space mode while using kernel ASCE.
>>> AS:0000000002a2000b R2:00000001bff8c00b R3:00000001bff88007 S:00000001bff91000 P:000000000000003d
>>> Oops: 0004 ilc:2 [#1] SMP
>>> ...
>>> Call Trace:
>>> ([<001fffff804ec552>] kvm_s390_vm_set_attr+0x347a/0x3828 [kvm])
>>> [<001fffff804ecfc0>] kvm_arch_vm_ioctl+0x6c0/0x1998 [kvm]
>>> [<001fffff804b67e4>] kvm_vm_ioctl+0x51c/0x11a8 [kvm]
>>> [<00000000008ba572>] do_vfs_ioctl+0x1d2/0xe58
>>> [<00000000008bb284>] ksys_ioctl+0x8c/0xb8
>>> [<00000000008bb2e2>] sys_ioctl+0x32/0x40
>>> [<000000000175552c>] system_call+0x2b8/0x2d8
>>> INFO: lockdep is turned off.
>>> Last Breaking-Event-Address:
>>> [<0000000000dbaf60>] __memset+0xc/0xa0
>>>
>>> due to ms->dirty_bitmap being NULL, which migh crash the host.
>>
>> s/migh/might/
>>
>>>
>>> Make sure that ms->dirty_bitmap is set before using it or
>>> print a warning and return -ENIVAL otherwise.
>>>
>>> Signed-off-by: Igor Mammedov <imammedo@...hat.com>
>>> ---
>>>
>>> PS:
>>> keeping it private for now as issue might DoS host,
>>> I'll leave it upto maintainers to decide if it should be handled as security
>>> bug (I'm not sure what process for handling such bugs should be used).
>>>
>>>
>>> arch/s390/kvm/kvm-s390.c | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
>>> index f329dcb3f44c..dfba51c9d60c 100644
>>> --- a/arch/s390/kvm/kvm-s390.c
>>> +++ b/arch/s390/kvm/kvm-s390.c
>>> @@ -1018,6 +1018,10 @@ static int kvm_s390_vm_start_migration(struct kvm *kvm)
>>> /* mark all the pages in active slots as dirty */
>>> for (slotnr = 0; slotnr < slots->used_slots; slotnr++) {
>>> ms = slots->memslots + slotnr;
>>> + if (!ms->dirty_bitmap) {
>>> + WARN(1, "ms->dirty_bitmap == NULL\n");
>>> + return -EINVAL;
>>> + }
>>
>> if (WARN_ON_ONCE(!ms->dirty_bitmap))
>> return -EINVAL;
>>
>> But I wonder if the WARN is really needed. (or simply a wrong usage of the interface)
> I added WARN because of there is no any visible sign that something
> went wrong in userspace, this way at least we would have a trace of
> invalid API usage.
>
> But I can drop it if you prefer.
Yeah, I understand the rational, but WARN's should usually not be
triggered from user space (and -EINVAL is some telling user space
already that it is doing something wrong). If you care about a
notification maybe use a pr_warn_ratelimited() instead. Otherwise, I
suggest updating the documentation in which cases one could get -EINVAL.
Thanks!
--
Thanks,
David / dhildenb
Powered by blists - more mailing lists