Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751965AbdLLHD4 (ORCPT ); Tue, 12 Dec 2017 02:03:56 -0500 Received: from mail-oi0-f65.google.com ([209.85.218.65]:39493 "EHLO mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751053AbdLLHDw (ORCPT ); Tue, 12 Dec 2017 02:03:52 -0500 X-Google-Smtp-Source: ACJfBou9aIu4705N6fSx4nCLN3rwjZJUQpDLCjGMswMdaICZ+UjdJHCiMURMTsLpZ+nm6dGwb9QvoxTZpKALtc1Jclc= MIME-Version: 1.0 In-Reply-To: <1513057950-58154-1-git-send-email-wanpeng.li@hotmail.com> References: <1513057950-58154-1-git-send-email-wanpeng.li@hotmail.com> From: Wanpeng Li Date: Tue, 12 Dec 2017 15:03:50 +0800 Message-ID: Subject: Re: [PATCH] KVM: X86: Fix stack-out-of-bounds read in write_mmio To: "linux-kernel@vger.kernel.org" , kvm Cc: Paolo Bonzini , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Wanpeng Li Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by nfs id vBC740Pi011840 Content-Length: 2658 Lines: 73 2017-12-12 13:52 GMT+08:00 Wanpeng Li : > From: Wanpeng Li > > Reported by syzkaller: > > BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm] > Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298 > > CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18 > Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016 > Call Trace: > dump_stack+0xab/0xe1 > print_address_description+0x6b/0x290 > kasan_report+0x28a/0x370 > write_mmio+0x11e/0x270 [kvm] > emulator_read_write_onepage+0x311/0x600 [kvm] > emulator_read_write+0xef/0x240 [kvm] > emulator_fix_hypercall+0x105/0x150 [kvm] > em_hypercall+0x2b/0x80 [kvm] > x86_emulate_insn+0x2b1/0x1640 [kvm] > x86_emulate_instruction+0x39a/0xb90 [kvm] > handle_exception+0x1b4/0x4d0 [kvm_intel] > vcpu_enter_guest+0x15a0/0x2640 [kvm] > kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm] > kvm_vcpu_ioctl+0x479/0x880 [kvm] > do_vfs_ioctl+0x142/0x9a0 > SyS_ioctl+0x74/0x80 > entry_SYSCALL_64_fastpath+0x23/0x9a > > The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall) > to the guest memory, however, write_mmio tracepoint always prints 8 bytes > through *(u64 *)val since kvm splits the mmio access into 8 bytes. This > can result in stack-out-of-bounds read due to access the extra 5 bytes. > This patch fixes it by just accessing the bytes which we operates on. > > Before patch: > > syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f > > After patch: > > syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f > > Reported-by: Dmitry Vyukov > Cc: Paolo Bonzini > Cc: Radim Krčmář > Signed-off-by: Wanpeng Li > --- Oops, a wrong version, please ignore this one. > arch/x86/kvm/x86.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index bc5d853..51e7932 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -4690,7 +4690,10 @@ static int write_emulate(struct kvm_vcpu *vcpu, gpa_t gpa, > > static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val) > { > - trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val); > + u64 data = 0; > + > + memcpy(&data, val, bytes); > + trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, data); > return vcpu_mmio_write(vcpu, gpa, bytes, val); > } > > -- > 2.7.4 >