lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri,  8 Oct 2021 17:11:06 -0700
From:   Sean Christopherson <seanjc@...gle.com>
To:     Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        x86@...nel.org, Paolo Bonzini <pbonzini@...hat.com>
Cc:     "H. Peter Anvin" <hpa@...or.com>,
        Sean Christopherson <seanjc@...gle.com>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Wanpeng Li <wanpengli@...cent.com>,
        Jim Mattson <jmattson@...gle.com>,
        Joerg Roedel <joro@...tes.org>, linux-kernel@...r.kernel.org,
        kvm@...r.kernel.org
Subject: [PATCH 3/4] x86/irq: KVM: Harden posted interrupt (un)registration paths

Split the register and unregister paths for the posted interrupt wakeup
handler, and WARN on conditions that are blatant bugs, e.g. attempting to
overwrite an existing handler, unregistering the wrong handler, etc...
This is very much a "low hanging fruit" hardening, e.g. a broken module
could foul things up by doing concurrent registration from multiple CPUs.

Drop the use of a dummy handler so that the rejection logic can use a
simple NULL check.  There is zero benefit to blindly calling into a dummy
handler.

Note, the registration path doesn't require synchronization, as it's the
caller's responsibility to not generate interrupts it cares about until
after its handler is registered, i.e. there can't be a relevant in-flight
interrupt.

Signed-off-by: Sean Christopherson <seanjc@...gle.com>
---
 arch/x86/include/asm/irq.h |  3 ++-
 arch/x86/kernel/irq.c      | 29 ++++++++++++++++++++---------
 arch/x86/kvm/vmx/vmx.c     |  4 ++--
 3 files changed, 24 insertions(+), 12 deletions(-)

diff --git a/arch/x86/include/asm/irq.h b/arch/x86/include/asm/irq.h
index 768aa234cbb4..c79014c2443d 100644
--- a/arch/x86/include/asm/irq.h
+++ b/arch/x86/include/asm/irq.h
@@ -30,7 +30,8 @@ struct irq_desc;
 extern void fixup_irqs(void);
 
 #ifdef CONFIG_HAVE_KVM
-extern void kvm_set_posted_intr_wakeup_handler(void (*handler)(void));
+extern void kvm_register_posted_intr_wakeup_handler(void (*handler)(void));
+extern void kvm_unregister_posted_intr_wakeup_handler(void (*handler)(void));
 #endif
 
 extern void (*x86_platform_ipi_callback)(void);
diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c
index 20773d315308..97f452cc84be 100644
--- a/arch/x86/kernel/irq.c
+++ b/arch/x86/kernel/irq.c
@@ -284,18 +284,26 @@ DEFINE_IDTENTRY_SYSVEC(sysvec_x86_platform_ipi)
 #endif
 
 #ifdef CONFIG_HAVE_KVM
-static void dummy_handler(void) {}
-static void (*kvm_posted_intr_wakeup_handler)(void) = dummy_handler;
+static void (*kvm_posted_intr_wakeup_handler)(void);
 
-void kvm_set_posted_intr_wakeup_handler(void (*handler)(void))
+void kvm_register_posted_intr_wakeup_handler(void (*handler)(void))
 {
-	if (handler)
-		kvm_posted_intr_wakeup_handler = handler;
-	else
-		kvm_posted_intr_wakeup_handler = dummy_handler;
+	if (WARN_ON_ONCE(!handler || kvm_posted_intr_wakeup_handler))
+		return;
+
+	WRITE_ONCE(kvm_posted_intr_wakeup_handler, handler);
+}
+EXPORT_SYMBOL_GPL(kvm_register_posted_intr_wakeup_handler);
+
+void kvm_unregister_posted_intr_wakeup_handler(void (*handler)(void))
+{
+	if (WARN_ON_ONCE(!handler || handler != kvm_posted_intr_wakeup_handler))
+		return;
+
+	WRITE_ONCE(kvm_posted_intr_wakeup_handler, NULL);
 	synchronize_rcu();
 }
-EXPORT_SYMBOL_GPL(kvm_set_posted_intr_wakeup_handler);
+EXPORT_SYMBOL_GPL(kvm_unregister_posted_intr_wakeup_handler);
 
 /*
  * Handler for POSTED_INTERRUPT_VECTOR.
@@ -311,9 +319,12 @@ DEFINE_IDTENTRY_SYSVEC_SIMPLE(sysvec_kvm_posted_intr_ipi)
  */
 DEFINE_IDTENTRY_SYSVEC(sysvec_kvm_posted_intr_wakeup_ipi)
 {
+	void (*handler)(void) = READ_ONCE(kvm_posted_intr_wakeup_handler);
+
 	ack_APIC_irq();
 	inc_irq_stat(kvm_posted_intr_wakeup_ipis);
-	kvm_posted_intr_wakeup_handler();
+	if (handler)
+		handler();
 }
 
 /*
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index bfdcdb399212..9164f1870d49 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -7553,7 +7553,7 @@ static void vmx_migrate_timers(struct kvm_vcpu *vcpu)
 
 static void hardware_unsetup(void)
 {
-	kvm_set_posted_intr_wakeup_handler(NULL);
+	kvm_unregister_posted_intr_wakeup_handler(pi_wakeup_handler);
 
 	if (nested)
 		nested_vmx_hardware_unsetup();
@@ -7907,7 +7907,7 @@ static __init int hardware_setup(void)
 	if (r)
 		nested_vmx_hardware_unsetup();
 
-	kvm_set_posted_intr_wakeup_handler(pi_wakeup_handler);
+	kvm_register_posted_intr_wakeup_handler(pi_wakeup_handler);
 
 	return r;
 }
-- 
2.33.0.882.g93a45727a2-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ