| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6872fb42.a70a0220.3b380f.0010.GAE@google.com>
Date: Sat, 12 Jul 2025 17:18:10 -0700
From: syzbot <syzbot+1f6f096afda6f4f8f565@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.
***
Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoorarnav43@...il.com
#syz test
From: Arnav Kapoor <kapoorarnnav43@...il.com>
Date: Fri, 27 Dec 2024 02:35:00 +0000
Subject: [PATCH] arm64: KVM: Fix SError ESR validation to only allow ISS
field
The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.
The problematic check:
if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
kvm_set_sei_esr(vcpu, events->exception.serror_esr);
else
return -EINVAL;
allows the ISV bit because ESR_ELx_ISS_MASK includes bit 24 (GENMASK(24,0)).
However, the ISV bit should be set only by KVM itself when calling
kvm_set_sei_esr(), and userspace should not be able to control it.
Fix this by changing the validation to only allow bits 23:0 (the actual
ISS field without the ISV bit):
if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
This prevents userspace from setting reserved bits and the ISV bit while
still allowing control over the intended ISS field. The condition is
simplified since we now have a straightforward check for invalid bits.
Reported-by: syzbot+92be0215d467e7deb043@...kaller.appspotmail.com
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
Signed-off-by: Arnav Kapoor <kapoorarnnav43@...il.com>
---
arch/arm64/kvm/guest.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 123456..789012 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -843,7 +843,7 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
if (serror_pending && has_esr) {
if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
return -EINVAL;
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
+ return -EINVAL;
+
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
On Sunday, 13 July 2025 at 05:36:31 UTC+5:30 syzbot wrote:
Hello,
syzbot found the following issue on:
HEAD commit: 15724a984643 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git
next
console output: https://syzkaller.appspot.com/x/log.txt?x=123090f0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler: Debian clang version 20.1.7
(++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD
20.1.7
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1324fe8c580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1206ed82580000
Downloadable assets:
disk image (non-bootable):
https://storage.googleapis.com/syzbot-assets/fa3fbcfdac58/non_bootable_disk-15724a98.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/ec0f03d375a1/vmlinux-15724a98.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/a36232f8c6dd/Image-15724a98.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the
commit:
Reported-by: syzbot+1f6f09...@...kaller.appspotmail.com
------------[ cut here ]------------
WARNING: CPU: 0 PID: 3603 at arch/arm64/kvm/inject_fault.c:71
pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71
Modules linked in:
CPU: 0 UID: 0 PID: 3603 Comm: syz.2.16 Not tainted
6.16.0-rc3-syzkaller-g15724a984643 #0 PREEMPT
Hardware name: linux,dummy-virt (DT)
pstate: 81402009 (Nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
pc : pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71
lr : pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71
sp : ffff80008e807930
x29: ffff80008e807930 x28: d7f0000016ae8028 x27: 0000000000000001
x26: 0000000000000000 x25: 0000000000000001 x24: 00000000000000d7
x23: d7f0000016ae82a8 x22: 00000000000000d7 x21: d7f0000016ae8e81
x20: 0000000000000007 x19: efff800000000000 x18: 0000000000000000
x17: 000000000000005a x16: ffff800080011d9c x15: 0000000020000200
x14: ffffffffffffffff x13: 0000000000000028 x12: 0000000000000081
x11: 81f000001f049564 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 81f000001f048000 x7 : ffff800080b08704 x6 : ffff80008e807a88
x5 : ffff80008e807a88 x4 : 0000000000000001 x3 : ffff8000801a2e80
x2 : 0000000000000000 x1 : 0000000000000002 x0 : 0000000000000000
Call trace:
pend_serror_exception+0x19c/0x5ac arch/arm64/kvm/inject_fault.c:71 (P)
kvm_inject_serror_esr+0x274/0xe40 arch/arm64/kvm/inject_fault.c:330
__kvm_arm_vcpu_set_events+0x1d4/0x238 arch/arm64/kvm/guest.c:-1
kvm_arm_vcpu_set_events arch/arm64/kvm/arm.c:1698 [inline]
kvm_arch_vcpu_ioctl+0xed8/0x16b0 arch/arm64/kvm/arm.c:1810
kvm_vcpu_ioctl+0x5c4/0xc2c virt/kvm/kvm_main.c:4632
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__arm64_sys_ioctl+0x18c/0x244 fs/ioctl.c:893
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x90/0x2b4 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x180/0x2f4 arch/arm64/kernel/syscall.c:132
do_el0_svc+0x58/0x74 arch/arm64/kernel/syscall.c:151
el0_svc+0x58/0x160 arch/arm64/kernel/entry-common.c:767
el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
irq event stamp: 2728
hardirqs last enabled at (2727): [<ffff80008653cb88>]
__raw_read_unlock_irqrestore include/linux/rwlock_api_smp.h:241 [inline]
hardirqs last enabled at (2727): [<ffff80008653cb88>]
_raw_read_unlock_irqrestore+0x44/0xbc kernel/locking/spinlock.c:268
hardirqs last disabled at (2728): [<ffff800086517e08>] el1_dbg+0x24/0x80
arch/arm64/kernel/entry-common.c:511
softirqs last enabled at (2702): [<ffff8000800c988c>]
local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (2700): [<ffff8000800c9858>]
local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@...glegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Powered by blists - more mailing lists