lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <FEBA39FEBDA1C9D7+20241017061334.222103-1-wangyuli@uniontech.com>
Date: Thu, 17 Oct 2024 14:13:34 +0800
From: WangYuli <wangyuli@...ontech.com>
To: maz@...nel.org,
	oliver.upton@...ux.dev,
	james.morse@....com,
	suzuki.poulose@....com,
	yuzenghui@...wei.com,
	catalin.marinas@....com,
	will@...nel.org,
	rdunlap@...radead.org,
	sebott@...hat.com
Cc: linux-arm-kernel@...ts.infradead.org,
	kvmarm@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	guanwentao@...ontech.com,
	zhanjun@...ontech.com,
	WangYuli <wangyuli@...ontech.com>,
	stable@...r.kernel.org
Subject: [PATCH] KVM: arm64: vgic-its: Do not call vgic_put_irq() within vgic_its_inject_cached_translation()

There is a probability that the host machine will also restart
when the virtual machine is restarting.

Commit ad362fe07fec ("KVM: arm64: vgic-its: Avoid potential UAF
in LPI translation cache") released the reference count of an IRQ
when it shouldn't have. This led to a situation where, when the
system finally released the IRQ, it found that the structure had
already been freed, triggering a
'refcount_t: underflow; use-after-free' error.

In fact, the function "vgic_put_irq" should be called by
"vgic_its_inject_cached_translation" instead of
"vgic_its_trigger_msi".

Call trace:
  its_free_ite+0x90/0xa0
  vgic_its_free_device+0x3c/0xa0
  vgic_its_destroy+0x4c/0xb8
  kvm_put_kvm+0x214/0x358
  kvm_vcpu_release+0x24/0x38
  __fput+0x84/0x278
  ____fput+0x20/0x30
  task_work_run+0xcc/0x190
  do_exit+0x36c/0xa88
  do_group_exit+0x4c/0xb8
  __arm64_sys_exit_group+0x24/0x28
  invoke_syscall+0x54/0x120
  el0_svc_common.constprop.4+0x16c/0x1f0
  do_el0_svc+0x34/0xb0
  el0_svc+0x1c/0x28
  el0_sync_handler+0x8c/0xb0
  el0_sync+0x148/0x180

Fixes: ad362fe07fec ("KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache")
Cc: stable@...r.kernel.org
Signed-off-by: Wenyao Hai <haiwenyao@...ontech.com>
Signed-off-by: WangYuli <wangyuli@...ontech.com>
---
 arch/arm64/kvm/vgic/vgic-its.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/kvm/vgic/vgic-its.c b/arch/arm64/kvm/vgic/vgic-its.c
index ba945ba78cc7..fb5f57cbab42 100644
--- a/arch/arm64/kvm/vgic/vgic-its.c
+++ b/arch/arm64/kvm/vgic/vgic-its.c
@@ -679,6 +679,7 @@ static int vgic_its_trigger_msi(struct kvm *kvm, struct vgic_its *its,
 	raw_spin_lock_irqsave(&irq->irq_lock, flags);
 	irq->pending_latch = true;
 	vgic_queue_irq_unlock(kvm, irq, flags);
+	vgic_put_irq(kvm, irq);
 
 	return 0;
 }
@@ -697,7 +698,6 @@ int vgic_its_inject_cached_translation(struct kvm *kvm, struct kvm_msi *msi)
 	raw_spin_lock_irqsave(&irq->irq_lock, flags);
 	irq->pending_latch = true;
 	vgic_queue_irq_unlock(kvm, irq, flags);
-	vgic_put_irq(kvm, irq);
 
 	return 0;
 }
-- 
2.45.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ