lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4e66f922-c081-0b00-d77e-fb1e1d5e9d49@huawei.com>
Date:   Thu, 5 Aug 2021 10:05:42 +0800
From:   "wanghai (M)" <wanghai38@...wei.com>
To:     <jhansen@...are.com>, <vdasa@...are.com>, <arnd@...db.de>,
        <gregkh@...uxfoundation.org>, <dtor@...are.com>,
        <georgezhang@...are.com>, <acking@...are.com>
CC:     <pv-drivers@...are.com>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] VMCI: fix NULL pointer dereference when unmapping queue
 pair


在 2021/8/4 21:48, Wang Hai 写道:
> I got a NULL pointer dereference report when doing fuzz test:
>
> Call Trace:
>    qp_release_pages+0xae/0x130
>    qp_host_unregister_user_memory.isra.25+0x2d/0x80
>    vmci_qp_broker_unmap+0x191/0x320
>    ? vmci_host_do_alloc_queuepair.isra.9+0x1c0/0x1c0
>    vmci_host_unlocked_ioctl+0x59f/0xd50
>    ? do_vfs_ioctl+0x14b/0xa10
>    ? tomoyo_file_ioctl+0x28/0x30
>    ? vmci_host_do_alloc_queuepair.isra.9+0x1c0/0x1c0
>    __x64_sys_ioctl+0xea/0x120
>    do_syscall_64+0x34/0xb0
>    entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> When a queue pair is created by the following call, it will not
> register the user memory if the page_store is NULL, and the
> entry->state will be set to VMCIQPB_CREATED_NO_MEM.
>
> vmci_host_unlocked_ioctl
>    vmci_host_do_alloc_queuepair
>      vmci_qp_broker_alloc
>        qp_broker_alloc
>          qp_broker_create // set entry->state = VMCIQPB_CREATED_NO_MEM;
>
> When unmapping this queue pair, qp_host_unregister_user_memory() will
> be called to unregister the non-existent user memory, which will
> result in a null pointer reference. It will also change
> VMCIQPB_CREATED_NO_MEM to VMCIQPB_CREATED_MEM, which should not be
> present in this operation.
>
> If the qp broker has mem, there no need to register or unregister
> the user memory when mapping or unmapping the qp broker.

If the qp broker has mem, there no need to register the user memory when mapping the qp broker.
If the qp broker has no mem, there no need to unregister the user memory when ummapping the qp broker.

> Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.")
> Reported-by: Hulk Robot <hulkci@...wei.com>
> Signed-off-by: Wang Hai <wanghai38@...wei.com>
> ---
>   drivers/misc/vmw_vmci/vmci_queue_pair.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c
> index 880c33ab9f47..0c6fb4c0d5ac 100644
> --- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
> +++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
> @@ -2243,7 +2243,8 @@ int vmci_qp_broker_map(struct vmci_handle handle,
>   
>   	result = VMCI_SUCCESS;
>   
> -	if (context_id != VMCI_HOST_CONTEXT_ID) {
> +	if (context_id != VMCI_HOST_CONTEXT_ID &&
> +	    QPBROKERSTATE_HAS_MEM(entry)) {
>   		struct vmci_qp_page_store page_store;
>   

should be:
-	if (context_id != VMCI_HOST_CONTEXT_ID) {
+	if (context_id != VMCI_HOST_CONTEXT_ID &&
+	    !QPBROKERSTATE_HAS_MEM(entry)) {

>   		page_store.pages = guest_mem;
> @@ -2350,7 +2351,8 @@ int vmci_qp_broker_unmap(struct vmci_handle handle,
>   		goto out;
>   	}
>   
> -	if (context_id != VMCI_HOST_CONTEXT_ID) {
> +	if (context_id != VMCI_HOST_CONTEXT_ID &&
> +	    QPBROKERSTATE_HAS_MEM(entry)) {
>   		qp_acquire_queue_mutex(entry->produce_q);
>   		result = qp_save_headers(entry);
>   		if (result < VMCI_SUCCESS)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ