| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6872ff6f.a70a0220.3b380f.0014.GAE@google.com>
Date: Sat, 12 Jul 2025 17:35:59 -0700
From: syzbot <syzbot+1f6f096afda6f4f8f565@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.
***
Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoorarnav43@...il.com
#syz test
From: Arnav Kapoor <kapoorarnnav43@...il.com>
Date: Sat, 13 Jul 2025 20:30:00 +0000
Subject: [PATCH] arm64: KVM: Fix SError ESR validation to only allow ISS
field
The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.
The problematic check:
if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
kvm_set_sei_esr(vcpu, events->exception.serror_esr);
else
return -EINVAL;
allows the ISV bit because ESR_ELx_ISS_MASK includes bit 24 (GENMASK(24,0)).
However, the ISV bit should be set only by KVM itself when calling
kvm_set_sei_esr(), and userspace should not be able to control it.
Fix this by changing the validation to only allow bits 23:0 (the actual
ISS field without the ISV bit):
if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
This prevents userspace from setting reserved bits and the ISV bit while
still allowing control over the intended ISS field. The condition is
simplified since we now have a straightforward check for invalid bits.
Reported-by: syzbot+1f6f096afda6f4f8f565@...kaller.appspotmail.com
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
Signed-off-by: Arnav Kapoor <kapoorarnnav43@...il.com>
---
arch/arm64/kvm/guest.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 2196979a24a3..cbe1e310f477 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -844,10 +844,10 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
return -EINVAL;
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- kvm_set_sei_esr(vcpu, events->exception.serror_esr);
- else
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
+
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
} else if (serror_pending) {
kvm_inject_vabt(vcpu);
}
--
2.43.0
On Sunday, 13 July 2025 at 05:58:05 UTC+5:30 syzbot wrote:
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED
Tested on:
commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git
next
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=10644e8c580000
Powered by blists - more mailing lists