lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 21 Oct 2021 22:08:25 +0200
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     butt3rflyh4ck <butterflyhuangxx@...il.com>,
        "Woodhouse, David" <dwmw@...zon.co.uk>
Cc:     kvm@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>
Subject: Re: There is a null-ptr-deref bug in kvm_dirty_ring_get in
 virt/kvm/dirty_ring.c

On 18/10/21 19:14, butt3rflyh4ck wrote:
> {
> struct kvm_vcpu *vcpu = kvm_get_running_vcpu();  //-------> invoke
> kvm_get_running_vcpu() to get a vcpu.
> 
> WARN_ON_ONCE(vcpu->kvm != kvm); [1]
> 
> return &vcpu->dirty_ring;
> }
> ```
> but we had not called KVM_CREATE_VCPU ioctl to create a kvm_vcpu so
> vcpu is NULL.

It's not just because there was no call to KVM_CREATE_VCPU; in general 
kvm->dirty_ring_size only works if all writes are associated to a 
specific vCPU, which is not the case for the one of 
kvm_xen_shared_info_init.

David, what do you think?  Making dirty-page ring buffer incompatible 
with Xen is ugly and I'd rather avoid it; taking the mutex for vcpu 0 is 
not an option because, as the reporter said, you might not have even 
created a vCPU yet when you call KVM_XEN_HVM_SET_ATTR.  The remaining 
option would be just "do not mark the page as dirty if the ring buffer 
is active".  This is feasible because userspace itself has passed the 
shared info gfn; but again, it's ugly...

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ