lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 04 Jun 2020 12:53:09 +0200
From:   Vitaly Kuznetsov <vkuznets@...hat.com>
To:     kvm@...r.kernel.org, pbonzini@...hat.com,
        sean.j.christopherson@...el.com
Cc:     syzbot <syzbot+2a7156e11dc199bdbd8a@...kaller.appspotmail.com>,
        bp@...en8.de, hpa@...or.com, jmattson@...gle.com, joro@...tes.org,
        linux-kernel@...r.kernel.org, mingo@...hat.com,
        syzkaller-bugs@...glegroups.com, tglx@...utronix.de,
        wanpengli@...cent.com, x86@...nel.org
Subject: Re: WARNING in kvm_inject_emulated_page_fault

syzbot <syzbot+2a7156e11dc199bdbd8a@...kaller.appspotmail.com> writes:

> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    cb8e59cc Merge git://git.kernel.org/pub/scm/linux/kernel/g..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=14dedfe2100000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a16ddbc78955e3a9
> dashboard link: https://syzkaller.appspot.com/bug?extid=2a7156e11dc199bdbd8a
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=134ca2de100000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=178272f2100000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+2a7156e11dc199bdbd8a@...kaller.appspotmail.com
>
> L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 6819 at arch/x86/kvm/x86.c:618
> kvm_inject_emulated_page_fault+0x210/0x290 arch/x86/kvm/x86.c:618

This is 

WARN_ON_ONCE(fault->vector != PF_VECTOR);

> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 0 PID: 6819 Comm: syz-executor268 Not tainted 5.7.0-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x188/0x20d lib/dump_stack.c:118
>  panic+0x2e3/0x75c kernel/panic.c:221
>  __warn.cold+0x2f/0x35 kernel/panic.c:582
>  report_bug+0x27b/0x2f0 lib/bug.c:195
>  fixup_bug arch/x86/kernel/traps.c:105 [inline]
>  fixup_bug arch/x86/kernel/traps.c:100 [inline]
>  do_error_trap+0x12b/0x220 arch/x86/kernel/traps.c:197
>  do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:216
>  invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027
> RIP: 0010:kvm_inject_emulated_page_fault+0x210/0x290 arch/x86/kvm/x86.c:618
> Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 79 48 8b 53 08 4c 89 f6 48 89 ef e8 fa 04 0c 00 e9 10 ff ff ff e8 10 ac 68 00 <0f> 0b e9 3a fe ff ff 4c 89 e7 e8 21 74 a7 00 e9 5d fe ff ff 48 89
> RSP: 0018:ffffc90000f87968 EFLAGS: 00010293
> RAX: ffff888095202540 RBX: ffffc90000f879e0 RCX: ffffffff810ae417
> RDX: 0000000000000000 RSI: ffffffff810ae5e0 RDI: 0000000000000001
> RBP: ffff888088ce0040 R08: ffff888095202540 R09: fffff520001f0f58
> R10: ffffc90000f87abf R11: fffff520001f0f57 R12: 0000000000000000
> R13: 0000000000000001 R14: ffffc90000f87ab8 R15: ffff888088ce0380
>  nested_vmx_get_vmptr+0x1f9/0x2a0 arch/x86/kvm/vmx/nested.c:4638
>  handle_vmon arch/x86/kvm/vmx/nested.c:4767 [inline]
>  handle_vmon+0x168/0x3a0 arch/x86/kvm/vmx/nested.c:4728
>  vmx_handle_exit+0x29c/0x1260 arch/x86/kvm/vmx/vmx.c:6067
  
 [...]

Exception we're trying to inject comes from

 nested_vmx_get_vmptr()
  kvm_read_guest_virt()
   kvm_read_guest_virt_helper()
     vcpu->arch.walk_mmu->gva_to_gpa()

but it seems it is only set if GVA to GPA convertion fails. In case it
doesn't, we can still fail kvm_vcpu_read_guest_page() and return
X86EMUL_IO_NEEDED but nested_vmx_get_vmptr() doesn't case what we return
and does kvm_inject_emulated_page_fault(). This can happen when VMXON
parameter is MMIO, for example.

How do fix this? We can either properly exit to userspace for handling
or, if we decide that handling such requests makes little sense, just
inject #GP if exception is not set, e.g. 

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 9c74a732b08d..a21e2f32f59b 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -4635,7 +4635,11 @@ static int nested_vmx_get_vmptr(struct kvm_vcpu *vcpu, gpa_t *vmpointer)
                return 1;
 
        if (kvm_read_guest_virt(vcpu, gva, vmpointer, sizeof(*vmpointer), &e)) {
-               kvm_inject_emulated_page_fault(vcpu, &e);
+               if (e.vector == PF_VECTOR)
+                       kvm_inject_emulated_page_fault(vcpu, &e);
+               else
+                       kvm_inject_gp(vcpu, 0);
+
                return 1;
        }

-- 
Vitaly

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ