| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b0c3552b-1efd-4c48-8d86-91ee16e7222a@rbox.co>
Date: Tue, 6 Aug 2024 18:59:27 +0200
From: Michal Luczaj <mhal@...x.co>
To: Sean Christopherson <seanjc@...gle.com>
Cc: Will Deacon <will@...nel.org>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, Paolo Bonzini <pbonzini@...hat.com>,
Alexander Potapenko <glider@...gle.com>, Marc Zyngier <maz@...nel.org>
Subject: Re: [PATCH] KVM: Fix error path in kvm_vm_ioctl_create_vcpu() on
xa_store() failure
On 8/6/24 00:56, Sean Christopherson wrote:
> [...]
> + /*
> + * xa_store() should never fail, see xa_reserve() above. Leak the vCPU
> + * if the impossible happens, as userspace already has access to the
> + * vCPU, i.e. freeing the vCPU before userspace puts its file reference
> + * would trigger a use-after-free.
> + */
> if (KVM_BUG_ON(xa_store(&kvm->vcpu_array, vcpu->vcpu_idx, vcpu, 0), kvm)) {
> - r = -EINVAL;
> - goto kvm_put_xa_release;
> + mutex_unlock(&vcpu->mutex);
> + return -EINVAL;
> }
>
> /*
> @@ -4302,6 +4310,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id)
> */
> smp_wmb();
> atomic_inc(&kvm->online_vcpus);
> + mutex_unlock(&vcpu->mutex);
>
> mutex_unlock(&kvm->lock);
> kvm_arch_vcpu_postcreate(vcpu);
> @@ -4309,6 +4318,7 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, unsigned long id)
> return r;
>
> kvm_put_xa_release:
> + mutex_unlock(&vcpu->mutex);
> kvm_put_kvm_no_destroy(kvm);
> xa_release(&kvm->vcpu_array, vcpu->vcpu_idx);
Since we're handling the impossible, isn't the BUG_ON part missing
mutex_unlock(&kvm->lock)?
Powered by blists - more mailing lists