lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 27 Nov 2019 18:57:10 -0300
From:   Leonardo Bras <leonardo@...ux.ibm.com>
To:     Sean Christopherson <sean.j.christopherson@...el.com>
Cc:     Paolo Bonzini <pbonzini@...hat.com>,
        Paul Mackerras <paulus@...abs.org>,
        Radim Krčmář <rkrcmar@...hat.com>,
        kvm-ppc@...r.kernel.org, kvm@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] KVM: Add separate helper for putting borrowed reference
 to kvm

On Wed, 2019-11-27 at 17:15 -0300, Leonardo Bras wrote:
> > > > > So, suppose these threads, where:
> > > > > - T1 uses a borrowed reference, and 
> > > > > - T2 is releasing the reference (close, release):
> > > > 
> > > > Nit: T2 is releasing the *last* reference (as implied by your reference
> > > > to close/release).
> > > 
> > > Correct.
> > > 
> > > > > T1                              | T2
> > > > > kvm_get_kvm()                   |
> > > > > ...                             | kvm_put_kvm()
> > > > > kvm_put_kvm_no_destroy()        |
> > > > > 
> > > > > The above would not trigger a use-after-free bug, but will cause a
> > > > > memory leak. Is my above understanding right?
> > > > 
> > > > Yes, this is correct.
> > > > 
> > > 
> > > Then, what would not be a bug before (using kvm_put_kvm()) now is a
> > > memory leak (using kvm_put_kvm_no_destroy()).
> > 

Sorry, I missed some information on above example. 
Suppose on that example that the reorder changes take place so that
kvm_put_kvm{,_no_destroy}() always happens after the last usage of kvm
(in the same syscall, let's say).

Before T1 and T2, refcount = 1;

If T1 uses kvm_put_kvm_no_destroy():
- T1 increases refcount (=2)
- T2 decreases refcount (=1)
- T1 decreases refcount, (=0) don't free kvm (memleak)

If T1 uses kvm_put_kvm():
- T1 increases refcount (= 2)
- T2 decreases refcount (= 1)
- T1 decreases refcount, (= 0) frees kvm.

So using kvm_put_kvm_no_destroy() would introduce a memleak where it
would have no bug.

> > No, using kvm_put_kvm_no_destroy() changes how a bug would manifest, as
> > you note below.  Replacing kvm_put_kvm() with kvm_put_kvm_no_destroy()
> > when the refcount is _guaranteed_ to be >1 has no impact on correctness.

Yes, you are correct. 
But on the above case, kvm_put_kvm{,_no_destroy}() would be called
with refcount == 1, and if reorder patch is applied, it would not cause
any use-after-free error, even on kvm_put_kvm() case.

Is the above correct?

Best regards,

Leonardo


Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ