| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <68734958.a70a0220.3b380f.0022.GAE@google.com>
Date: Sat, 12 Jul 2025 22:51:20 -0700
From: syzbot <syzbot+1f6f096afda6f4f8f565@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.
***
Subject: Private message regarding: [syzbot] [kvmarm?] WARNING in pend_serror_exception
Author: kapoorarnav43@...il.com
#syz test
rom: Arnav Kapoor <kapoorarnnav43@...il.com>
Date: Sat, 13 Jul 2025 21:30:00 +0000
Subject: [PATCH] arm64: KVM: Fix SError ESR validation to only allow ISS
field
The current validation in __kvm_arm_vcpu_set_events incorrectly allows
userspace to set the ISV bit (bit 24) in the SError ESR when injecting
a SError through KVM_SET_VCPU_EVENTS. According to the ARM ARM and the
KVM API documentation, userspace should only be able to control the ISS
field (bits 23:0) of the ESR, not the ISV bit which is managed by hardware.
The problematic check uses ESR_ELx_ISS_MASK which includes bit 24, allowing
userspace to control the ISV bit when it should only control bits 23:0.
This creates a potential security issue where userspace can manipulate the
ISV bit to potentially confuse or exploit kernel handling of SError
exceptions.
Fix this by changing the validation to use GENMASK(23, 0) which explicitly
masks only the ISS field, preventing userspace from setting the ISV bit or
any other reserved bits beyond the ISS field.
The fix changes the logic from:
if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
to:
if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
This ensures that any attempt to set bits beyond the ISS field (including
the ISV bit) will be rejected with -EINVAL.
Reported-by: syzbot+1f6f096afda6f4f8f565@...kaller.appspotmail.com
Fixes: 0e5b9065dcf3 ("KVM: arm64: Inject SError exception into guest")
Cc: stable@...r.kernel.org
Signed-off-by: Arnav Kapoor <kapoorarnnav43@...il.com>
---
arch/arm64/kvm/guest.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 12345678..87654321 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -844,10 +844,9 @@ int __kvm_arm_vcpu_set_events(struct kvm_vcpu *vcpu,
if (serror_pending && has_esr) {
if (!cpus_have_final_cap(ARM64_HAS_RAS_EXTN))
return -EINVAL;
-
- if (!((events->exception.serror_esr) & ~ESR_ELx_ISS_MASK))
- kvm_set_sei_esr(vcpu, events->exception.serror_esr);
- else
+
+ if (events->exception.serror_esr & ~GENMASK(23, 0))
return -EINVAL;
+ kvm_set_sei_esr(vcpu, events->exception.serror_esr);
} else if (serror_pending) {
kvm_inject_vabt(vcpu);
}
--
2.40.1
On Sunday, 13 July 2025 at 06:13:04 UTC+5:30 syzbot wrote:
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to apply patch:
checking file arch/arm64/kvm/guest.c
Hunk #1 FAILED at 844.
1 out of 1 hunk FAILED
Tested on:
commit: 15724a98 Merge branch 'kvm-arm64/doublefault2' into kv..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm.git
next
kernel config: https://syzkaller.appspot.com/x/.config?x=82bd3cd421993314
dashboard link: https://syzkaller.appspot.com/bug?extid=1f6f096afda6f4f8f565
compiler:
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=153d90f0580000
Powered by blists - more mailing lists