| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5789f26ca5568f05b9554053a1c6c3309d5c36e8.camel@linux.ibm.com>
Date: Thu, 28 Nov 2019 13:24:22 -0300
From: Leonardo Bras <leonardo@...ux.ibm.com>
To: Paul Mackerras <paulus@...abs.org>
Cc: Sean Christopherson <sean.j.christopherson@...el.com>,
kvm-ppc@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org,
linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Michael Ellerman <mpe@...erman.id.au>,
Paolo Bonzini <pbonzini@...hat.com>,
Radim Krčmář <rkrcmar@...hat.com>
Subject: Re: [PATCH 1/1] powerpc/kvm/book3s: Fixes possible 'use after
release' of kvm
On Thu, 2019-11-28 at 09:57 +1100, Paul Mackerras wrote:
> There isn't a potential use-after-free here. We are relying on the
> property that the release function (kvm_vm_release) cannot be called
> in parallel with this function. The reason is that this function
> (kvm_vm_ioctl_create_spapr_tce) is handling an ioctl on a kvm VM file
> descriptor. That means that a userspace process has the file
> descriptor still open. The code that implements the close() system
> call makes sure that no thread is still executing inside any system
> call that is using the same file descriptor before calling the file
> descriptor's release function (in this case, kvm_vm_release). That
> means that this kvm_put_kvm() call here cannot make the reference
> count go to zero.
That was very informative. A lot of things are clear to me now.
Thanks for explaining this Paul.
Best regards,
Leonardo
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists