lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 18 May 2021 09:41:35 -0400
From:   Tony Krowiak <akrowiak@...ux.ibm.com>
To:     Halil Pasic <pasic@...ux.ibm.com>
Cc:     linux-s390@...r.kernel.org, linux-kernel@...r.kernel.org,
        borntraeger@...ibm.com, cohuck@...hat.com,
        pasic@...ux.vnet.ibm.com, jjherne@...ux.ibm.com, jgg@...dia.com,
        alex.williamson@...hat.com, kwankhede@...dia.com,
        stable@...r.kernel.org, Tony Krowiak <akrowiak@...y.rr.com>
Subject: Re: [PATCH v2] s390/vfio-ap: fix memory leak in mdev remove callback



On 5/17/21 3:10 PM, Halil Pasic wrote:
> On Mon, 17 May 2021 09:37:42 -0400
> Tony Krowiak <akrowiak@...ux.ibm.com> wrote:
>
>>> Because of this, I don't think the rest of your argument is valid.
>> Okay, so your concern is that between the point in time the
>> vcpu->kvm->arch.crypto.pqap_hook pointer is checked in
>> priv.c and the point in time the handle_pqap() function
>> in vfio_ap_ops.c is called, the memory allocated for the
>> matrix_mdev containing the struct kvm_s390_module_hook
>> may get freed, thus rendering the function pointer invalid.
>> While not impossible, that seems extremely unlikely to
>> happen. Can you articulate a scenario where that could
>> even occur?
> Malicious userspace. We tend to do the pqap aqic just once
> in the guest right after the queue is detected. I do agree
> it ain't very likely to happen during normal operation. But why are
> you asking?

I'm just trying to wrap my head around how this can
happen given the incredibly small window between
access to the pointer to the structure containing the
function pointer and access to the function pointer
itself.

>
> I'm not sure I understood correctly what kind of a scenario are
> you asking for. PQAP AQIC and mdev remove are independent
> events originated in userspace, so AFAIK we may not assume
> that the execution of two won't overlap, nor are we allowed
> to make assumptions on how does the execution of these two
> overlap (except for the things we explicitly ensure -- e.g.
> some parts are made mutually exclusive using the matrix_dev->lock
> lock).

It looks like we need a way to control access to the
struct kvm_s390_module_hook. I'm looking into
Christian's suggestion for using RCU as well as other
solutions.

>
> Regards,
> Halil
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ