lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20221013211234.1318131-1-seanjc@google.com>
Date:   Thu, 13 Oct 2022 21:12:18 +0000
From:   Sean Christopherson <seanjc@...gle.com>
To:     Sean Christopherson <seanjc@...gle.com>,
        Paolo Bonzini <pbonzini@...hat.com>
Cc:     kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
        Michal Luczaj <mhal@...x.co>,
        David Woodhouse <dwmw2@...radead.org>
Subject: [PATCH v2 00/16] KVM: x86: gfn_to_pfn_cache fixes and cleanups

The highlights are two fixes for bugs where "destroying" and "initializing"
a gfn=>pfn cache while it is being accessed results in various forms of
badness, e.g. re-initialization of an in-use lock, consuming a NULL pointer,
potential memory corruption, etc...

Everything else is cleanup to make the gpc APIs easier to use and harder
to use incorrectly.

David, patch 3 (KVM: x86: Always use non-compat vcpu_runstate_info size...)
in particular needs your eyeballs.  I'm pretty sure it's ok, but
confirmation from someone that actually uses KVM XEN would be nice.

v2:
 - Fix active vs. valid race by rejecting refresh() if the cache is
   currently invalid.
 - Tweak shortlogs to be "KVM" only.  Even though x86 is the only user
   of the caches, I think it makes sense to tag the changes as "full"
   KVM for future readers.
 - Add back the selftest (from the RFC) that triggers the race conditions.
 - Always use non-compat size for checking+refreshing runstate_info and
   make @len truly immutable.
 - Drop unmap() for the moment.  I started adding code to prevent "bad"
   usage, but without any user I couldn't figure out exactly what
   restrictions need to be in place.
 - Do more cleanup.

v1: https://lore.kernel.org/all/20220921020140.3240092-1-mhal@rbox.co

Michal Luczaj (9):
  KVM: Initialize gfn_to_pfn_cache locks in dedicated helper
  KVM: Shorten gfn_to_pfn_cache function names
  KVM: x86: Remove unused argument in gpc_unmap_khva()
  KVM: Store immutable gfn_to_pfn_cache properties
  KVM: Store gfn_to_pfn_cache length as an immutable property
  KVM: Use gfn_to_pfn_cache's immutable "kvm" in kvm_gpc_check()
  KVM: Clean up hva_to_pfn_retry()
  KVM: Use gfn_to_pfn_cache's immutable "kvm" in kvm_gpc_refresh()
  KVM: selftests: Add tests in xen_shinfo_test to detect lock races

Sean Christopherson (7):
  KVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache
  KVM: x86: Always use non-compat vcpu_runstate_info size for gfn=>pfn
    cache
  KVM: Drop KVM's API to allow temprorarily unmapping gfn=>pfn cache
  KVM: Do not partially reinitialize gfn=>pfn cache during activation
  KVM: Drop @gpa from exported gfn=>pfn cache check() and refresh()
    helpers
  KVM: Skip unnecessary "unmap" if gpc is already valid during refresh
  KVM: selftests: Mark "guest_saw_irq" as volatile in xen_shinfo_test

 arch/x86/kvm/x86.c                            |  24 +--
 arch/x86/kvm/xen.c                            |  84 ++++-----
 include/linux/kvm_host.h                      |  73 ++++----
 include/linux/kvm_types.h                     |   2 +
 .../selftests/kvm/x86_64/xen_shinfo_test.c    | 142 ++++++++++++++-
 virt/kvm/pfncache.c                           | 170 ++++++++++--------
 6 files changed, 320 insertions(+), 175 deletions(-)


base-commit: e18d6152ff0f41b7f01f9817372022df04e0d354
-- 
2.38.0.413.g74048e4d9e-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ