lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 18 May 2021 17:33:51 +0200
From:   Halil Pasic <pasic@...ux.ibm.com>
To:     Christian Borntraeger <borntraeger@...ibm.com>
Cc:     Tony Krowiak <akrowiak@...ux.ibm.com>, linux-s390@...r.kernel.org,
        linux-kernel@...r.kernel.org, cohuck@...hat.com,
        pasic@...ux.vnet.ibm.com, jjherne@...ux.ibm.com, jgg@...dia.com,
        alex.williamson@...hat.com, kwankhede@...dia.com,
        stable@...r.kernel.org, Tony Krowiak <akrowiak@...y.rr.com>
Subject: Re: [PATCH v2] s390/vfio-ap: fix memory leak in mdev remove
 callback

On Tue, 18 May 2021 15:59:36 +0200
Christian Borntraeger <borntraeger@...ibm.com> wrote:

> On 18.05.21 15:42, Tony Krowiak wrote:
> > 
> > 
> > On 5/18/21 5:30 AM, Christian Borntraeger wrote:  
> >>
> >>
> >> On 17.05.21 21:10, Halil Pasic wrote:  
> >>> On Mon, 17 May 2021 09:37:42 -0400
> >>> Tony Krowiak <akrowiak@...ux.ibm.com> wrote:
> >>>  
> >>>>>
> >>>>> Because of this, I don't think the rest of your argument is valid.  
> >>>>
> >>>> Okay, so your concern is that between the point in time the
> >>>> vcpu->kvm->arch.crypto.pqap_hook pointer is checked in
> >>>> priv.c and the point in time the handle_pqap() function
> >>>> in vfio_ap_ops.c is called, the memory allocated for the
> >>>> matrix_mdev containing the struct kvm_s390_module_hook
> >>>> may get freed, thus rendering the function pointer invalid.
> >>>> While not impossible, that seems extremely unlikely to
> >>>> happen. Can you articulate a scenario where that could
> >>>> even occur?  
> >>>
> >>> Malicious userspace. We tend to do the pqap aqic just once
> >>> in the guest right after the queue is detected. I do agree
> >>> it ain't very likely to happen during normal operation. But why are
> >>> you asking?  
> >>
> >> Would it help, if the code in priv.c would read the hook once
> >> and then only work on the copy? We could protect that with rcu
> >> and do a synchronize rcu in vfio_ap_mdev_unset_kvm after
> >> unsetting the pointer?

Unfortunately just "the hook" is ambiguous in this context. We
have kvm->arch.crypto.pqap_hook that is supposed to point to
a struct kvm_s390_module_hook member of struct ap_matrix_mdev 
which is also called pqap_hook. And struct kvm_s390_module_hook
has function pointer member named "hook".

> > 
> > I'll look into this.  
> 
> I think it could work. in priv.c use rcu_readlock, save the
> pointer, do the check and call, call rcu_read_unlock.
> In vfio_ap use rcu_assign_pointer to set the pointer and
> after setting it to zero call sychronize_rcu.

In my opinion, we should make the accesses to the
kvm->arch.crypto.pqap_hook pointer properly synchronized. I'm
not sure if that is what you are proposing. How do we usually
do synchronisation on the stuff that lives in kvm->arch?

BTW, something as simple as a cmpxchg which boils down to the
CSG instruction for us would suffice in this case (or forcing
any interlocked update type construct). 

> 
> Halil, I think we can do this as an addon patch as it makes
> sense to have this callback pointer protected independent of
> this patch. Agree?

Unfortunately I didn't quite get at the bottom of what exactly gets
leaked. My intuition is, that trading a leak for an use after free
is in general not a good idea. In this particular case, assuming
userspace is well behaved, the use after free is very unlikely,
but then I don't consider the leak to be awfully likely either. A
well behaved userspace should not attempt to remove the mdev while
it is associated with a guest. We documented that in:
Documentation/s390/vfio-ap.rst
"""
  remove:
    deallocates the mediated matrix device's ap_matrix_mdev structure. This will
    be allowed only if a running guest is not using the mdev.
"""
BTW this patch should probably change that piece of documentation as
well.

In this case, because the leak is much likelier than the use after
free (assuming a non-malicious-userspace) the trade may be worth it. Yet my
independent opinion is that I would prefer this fixed in one go and
properly. But I do trust your judgement better than mine (especially in
matters like this). So feel free to go ahead (i.e. I'm not going to NACK
this). 

Regards,
Halil

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ