lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <b44227c5-5af6-4243-8ed9-2b8cdc0e5325@gmail.com>
Date: Fri, 19 Jul 2024 20:41:47 +0200
From: Mirsad Todorovac <mtodorovac69@...il.com>
To: kvm@...r.kernel.org
Cc: Sean Christopherson <seanjc@...gle.com>,
 Paolo Bonzini <pbonzini@...hat.com>, Thomas Gleixner <tglx@...utronix.de>,
 Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
 Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
 "H. Peter Anvin" <hpa@...or.com>, linux-kernel@...r.kernel.org,
 Vitaly Kuznetsov <vkuznets@...hat.com>
Subject: [BUG] arch/x86/kvm/vmx/vmx_onhyperv.h:109:36: error: dereference of NULL ‘0’

Hi, all!

Here is another potential NULL pointer dereference in kvm subsystem of linux stable vanilla 6.10,
as GCC 12.3.0 complains.

(Please don't throw stuff at me, I think this is the last one for today :-)

arch/x86/include/asm/mshyperv.h
-------------------------------
  242 static inline struct hv_vp_assist_page *hv_get_vp_assist_page(unsigned int cpu)
  243 {
  244         if (!hv_vp_assist_page)
  245                 return NULL;
  246 
  247         return hv_vp_assist_page[cpu];
  248 }

arch/x86/kvm/vmx/vmx_onhyperv.h
-------------------------------
  102 static inline void evmcs_load(u64 phys_addr)
  103 {
  104         struct hv_vp_assist_page *vp_ap =
  105                 hv_get_vp_assist_page(smp_processor_id());
  106 
  107         if (current_evmcs->hv_enlightenments_control.nested_flush_hypercall)
  108                 vp_ap->nested_control.features.directhypercall = 1;
  109         vp_ap->current_nested_vmcs = phys_addr;
  110         vp_ap->enlighten_vmentry = 1;
  111 }

Now, this one is simple: hv_vp_assist_page(cpu) can return NULL, and in line 104 it is assigned
to wp_ap, which is dereferenced in lines 108, 109, and 110, which is not checked against returning
NULL by hv_vp_assist_page().

Commits 50a82b0eb88c1 and a46d15cc1ae5a are related to the issue.

Hope this helps.

Best regards,
Mirsad Todorovac

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ