| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20220816053937.2477106-1-seanjc@google.com>
Date: Tue, 16 Aug 2022 05:39:34 +0000
From: Sean Christopherson <seanjc@...gle.com>
To: Paolo Bonzini <pbonzini@...hat.com>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
syzbot+744e173caec2e1627ee0@...kaller.appspotmail.com,
Oliver Upton <oliver.upton@...ux.dev>,
Sean Christopherson <seanjc@...gle.com>,
David Matlack <dmatlack@...gle.com>
Subject: [PATCH 0/3] KVM: kvm_create_vm() bug fixes and cleanup
Fix two (embarassing) bugs in kvm_create_vm() where KVM fails to properly
unwind VM creation, which most often manifests as a not-present page fault
due to use-after-free when walking the global vm_list (VM is added and
freed, but never removed from the list). Patch 3 is a loosely related
clean up.
I discovered the try_get_module() bug by inspection[*]. syzkaller found
the debugfs around the same time.
The try_get_module() bug is especially bad/amusing. The "rmmod --wait"
behavior KVM is trying to handle was removed ~9 years ago...
[*] https://lore.kernel.org/all/YvU+6fdkHaqQiKxp@google.com
Sean Christopherson (3):
KVM: Properly unwind VM creation if creating debugfs fails
KVM: Unconditionally get a ref to /dev/kvm module when creating a VM
KVM: Move coalesced MMIO initialization (back) into kvm_create_vm()
virt/kvm/kvm_main.c | 39 +++++++++++++++++----------------------
1 file changed, 17 insertions(+), 22 deletions(-)
base-commit: 19a7cc817a380f7a412d7d76e145e9e2bc47e52f
--
2.37.1.595.g718a3a8f04-goog
Powered by blists - more mailing lists