lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 31 Mar 2021 09:21:10 +0200
From:   Emanuele Giuseppe Esposito <eesposit@...hat.com>
To:     Sean Christopherson <seanjc@...gle.com>
Cc:     kvm@...r.kernel.org, Paolo Bonzini <pbonzini@...hat.com>,
        Jonathan Corbet <corbet@....net>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Jim Mattson <jmattson@...gle.com>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        "H. Peter Anvin" <hpa@...or.com>, Shuah Khan <shuah@...nel.org>,
        Alexander Graf <graf@...zon.com>,
        Andrew Jones <drjones@...hat.com>, linux-doc@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH 1/4] kvm: cpuid: adjust the returned nent field of
 kvm_cpuid2 for KVM_GET_SUPPORTED_CPUID and KVM_GET_EMULATED_CPUID



On 31/03/2021 05:01, Sean Christopherson wrote:
> On Tue, Mar 30, 2021, Emanuele Giuseppe Esposito wrote:
>> Calling the kvm KVM_GET_[SUPPORTED/EMULATED]_CPUID ioctl requires
>> a nent field inside the kvm_cpuid2 struct to be big enough to contain
>> all entries that will be set by kvm.
>> Therefore if the nent field is too high, kvm will adjust it to the
>> right value. If too low, -E2BIG is returned.
>>
>> However, when filling the entries do_cpuid_func() requires an
>> additional entry, so if the right nent is known in advance,
>> giving the exact number of entries won't work because it has to be increased
>> by one.
>>
>> Signed-off-by: Emanuele Giuseppe Esposito <eesposit@...hat.com>
>> ---
>>   arch/x86/kvm/cpuid.c | 6 ++++++
>>   1 file changed, 6 insertions(+)
>>
>> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
>> index 6bd2f8b830e4..5412b48b9103 100644
>> --- a/arch/x86/kvm/cpuid.c
>> +++ b/arch/x86/kvm/cpuid.c
>> @@ -975,6 +975,12 @@ int kvm_dev_ioctl_get_cpuid(struct kvm_cpuid2 *cpuid,
>>   
>>   	if (cpuid->nent < 1)
>>   		return -E2BIG;
>> +
>> +	/* if there are X entries, we need to allocate at least X+1
>> +	 * entries but return the actual number of entries
>> +	 */
>> +	cpuid->nent++;
> 
> I don't see how this can be correct.
> 
> If this bonus entry really is needed, then won't that be reflected in array.nent?
> I.e won't KVM overrun the userspace buffer?
> 
> If it's not reflected in array.nent, that would imply there's an off-by-one check
> somewhere, or KVM is creating an entry that it doesn't copy to userspace.  The
> former seems unlikely as there are literally only two checks against maxnent,
> and they both look correct (famous last words...).
> 
> KVM does decrement array->nent in one specific case (CPUID.0xD.2..64), i.e. a
> false positive is theoretically possible, but that carries a WARN and requires a
> kernel or CPU bug as well.  And fudging nent for that case would still break
> normal use cases due to the overrun problem.
> 
> What am I missing?

(Maybe I should have put this series as RFC)

The problem I see and noticed while doing the KVM_GET_EMULATED_CPUID 
selftest is the following: assume there are 3 kvm emulated entries, and 
the user sets cpuid->nent = 3. This should work because kvm sets 3 
array->entries[], and copies them to user space.

However, when the 3rd entry is populated inside kvm (array->entries[2]), 
array->nent is increased once more (do_host_cpuid and 
__do_cpuid_func_emulated). At that point, the loop in 
kvm_dev_ioctl_get_cpuid and get_cpuid_func can potentially iterate once 
more, going into the

if (array->nent >= array->maxnent)
	return -E2BIG;

in __do_cpuid_func_emulated and do_host_cpuid, returning the error. I 
agree that we need that check there because the following code tries to 
access the array entry at array->nent index, but from what I understand 
that access can be potentially useless because it might just jump to the 
default entry in the switch statement and not set the entry, leaving 
array->nent to 3. Therefore with 3 kvm entries, the user would need to 
set cpuid->nent = 4 in order to work, even though only 3 entries are set.

There is no user space overflow because kvm uses array.nent in 
kvm_dev_ioctl_get_cpuid to specify how many entries to copy to the user.
My fix simply pre-increments the nent field on behalf of user space, so 
that an additional allocation is performed just in case but if not 
filled, it will not be copied to userspace.

Of course any better solution is very welcome :)

If you are wondering how a user can know in advance the exact number of 
nentries, the only way is to initially invoke the ioctl with cpuid->nent 
= 1000 or simply KVM_MAX_CPUID_ENTRIES, and kvm will not only set the 
entries but also adjust the nent field. In my case it was returning 3, 
but without this fix a successive KVM_GET_EMULATED_CPUID ioctl with nent 
= 3 would just return -E2BIG.

Thank you,
Emanuele

> 
>> +
>>   	if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
>>   		cpuid->nent = KVM_MAX_CPUID_ENTRIES;
>>   
>> -- 
>> 2.30.2
>>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ