| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFcO6XMe9RXRHxbjXoNBE3xFaATJggrpiRH-9127XBrBzf3eeg@mail.gmail.com>
Date: Mon, 8 Nov 2021 13:11:57 +0800
From: butt3rflyh4ck <butterflyhuangxx@...il.com>
To: Paolo Bonzini <pbonzini@...hat.com>
Cc: "Woodhouse, David" <dwmw@...zon.co.uk>, kvm@...r.kernel.org,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: There is a null-ptr-deref bug in kvm_dirty_ring_get in virt/kvm/dirty_ring.c
Hi, No one pays attention to this issue?
Regards,
butt3rflyh4ck.
On Fri, Oct 22, 2021 at 4:08 AM Paolo Bonzini <pbonzini@...hat.com> wrote:
>
> On 18/10/21 19:14, butt3rflyh4ck wrote:
> > {
> > struct kvm_vcpu *vcpu = kvm_get_running_vcpu(); //-------> invoke
> > kvm_get_running_vcpu() to get a vcpu.
> >
> > WARN_ON_ONCE(vcpu->kvm != kvm); [1]
> >
> > return &vcpu->dirty_ring;
> > }
> > ```
> > but we had not called KVM_CREATE_VCPU ioctl to create a kvm_vcpu so
> > vcpu is NULL.
>
> It's not just because there was no call to KVM_CREATE_VCPU; in general
> kvm->dirty_ring_size only works if all writes are associated to a
> specific vCPU, which is not the case for the one of
> kvm_xen_shared_info_init.
>
> David, what do you think? Making dirty-page ring buffer incompatible
> with Xen is ugly and I'd rather avoid it; taking the mutex for vcpu 0 is
> not an option because, as the reporter said, you might not have even
> created a vCPU yet when you call KVM_XEN_HVM_SET_ATTR. The remaining
> option would be just "do not mark the page as dirty if the ring buffer
> is active". This is feasible because userspace itself has passed the
> shared info gfn; but again, it's ugly...
>
> Paolo
>
--
Active Defense Lab of Venustech
Powered by blists - more mailing lists