Received: by 10.223.176.46 with SMTP id f43csp699419wra; Fri, 19 Jan 2018 00:23:57 -0800 (PST) X-Google-Smtp-Source: ACJfBotNfeKLNRUBZ51Rms/DIzTd7ehL3ZSzmmoDE0bKQ1avi04wWIJeVA2IWuoQmbnP2UYA8MOd X-Received: by 2002:a17:902:7d02:: with SMTP id z2-v6mr1179693pll.253.1516350237621; Fri, 19 Jan 2018 00:23:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516350237; cv=none; d=google.com; s=arc-20160816; b=h6/kZJU3jOvmXGhTIeyC2g9bbYFufmsNzXon2fL2cJIkIEzqRaulazpspyCaay684x 9pRUgmDKNOAdK203dS/o1sm2p4RnxxaPxGFj+m5jP3nl1DP3e40yebjrRf4c0KgUonIk ZCiWnppEhNc3zqv15RaUGEV2vu1PloWxr4QGl7hM7HXD/oEDg9Ag0kE/Kr9iUo5kA+mO rCSOUTYKgZcwhX1jR44gSN+3fzYvo3dJ1jfsQ08JAhiwjdPT8rzi/NejKQXs/knQd9tB C43cPkGAu0AX2HGdqWZEJ2B+/Q9Oi2IqWD1be54oi38lJmnrtur0ni72BQIc4JrObyfG kK1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=mNxmotVAOUkLPeAtF34a6yFU1+CV48ZlRF3pSGhKhxI=; b=j+Bw2YccO/km3sJOugwx+EK0lArqX0LzDN1teumqbrk+y1LeFByq8tOaNoLbKP8eIK 6pzW2inNtYia/PLPcS5oXt9lNwXZM1+vT7NhM05aRPwOOq9ykWDjpGM7rlCP6+Zi8767 JoD4Upb+0Wi7/8n+DNI0usGpD/LLZNpkg/ZAznMMGA6XR1IWxzjo4zV87Lf2B2gTm5yX 4TmPEzIPyNnQ5u/jMnMv00JE9DW31+IBfzjyht5az9hGdpWxtJQ0AZW5YcEdXCMY2iUR dXQSkAZ68jhp5FjDJFsVU670x7ohItSY3x2tWkoYQDh4KoGXM6oGh3UAPQ5PuA8UIOoT mO6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=UaYQjRkz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d1si7760124pgv.391.2018.01.19.00.23.43; Fri, 19 Jan 2018 00:23:57 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=UaYQjRkz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754930AbeASIWz (ORCPT + 99 others); Fri, 19 Jan 2018 03:22:55 -0500 Received: from mail-pg0-f65.google.com ([74.125.83.65]:43482 "EHLO mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753741AbeASIWq (ORCPT ); Fri, 19 Jan 2018 03:22:46 -0500 Received: by mail-pg0-f65.google.com with SMTP id n17so884651pgf.10; Fri, 19 Jan 2018 00:22:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=mNxmotVAOUkLPeAtF34a6yFU1+CV48ZlRF3pSGhKhxI=; b=UaYQjRkzt4oWwOk/8RNPt9ramEFE22UxrorMB3ZloiJqbLAyum6iRBTNHYIy7al3nC pm84o9zP02znSqP1i/l+X6hLuMU8187C8Q4mWDqmvvyDB7FOoACrXMZaNuHvp4Dhtyk7 xecJJ98FT5LII+GppF04q/tIl8Gw3mmwslxY3yJDrpZVVEagi8ljKg09L1PeLFVdqUZQ iGVKUju1YP7ax7GzIxxX/TT+APZy5LnJftwioAhjtz6IdmiboHg1V8CYxKtJZn6/3X6u d1h4RokyfLbqEHzaq+v3/P88WjXKWgzQnQeLD6wwjq01aLK/ibMPQTXsOMcTZcwUSTWv QLhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=mNxmotVAOUkLPeAtF34a6yFU1+CV48ZlRF3pSGhKhxI=; b=KZLBDK1hV2wgH0OvtcvFe3oaGIohgi7e0XsLztb0EOz84Zb0bLVt5sOxLkiTfgohgY h8f8Y9wVVPNNs8mtQ6//9/GqWpOxHhYUBVA2kb/eul30pzQG6ClCczDjugRqrF8yXpsE m6i5yJEKrBbI2eVpg8MU30bJKAAhpXjw5Ym7aEUOHryspMs24YY6qZVn8ZcJ67VAMOu5 0hlan05P6OIbWzhoZ87ZXQm6E4B+QaOgfn4ivkfzsdJNT0FYDjUF7L73KUevEuDZ3wGl GsR0KegQOIQLRkhoIQTQtCjh79KWHQxqw7u2ernrMAZJVijSmGq6XKL7UXA8xtmHinXk 5Pjg== X-Gm-Message-State: AKwxytcWEwnm5JITv1udiz/EFFscZ9OC4LJTtXPJiB9AHULUQv1Tw33o Roaic64TGG9MTHg1Aw52ODsRPlKu X-Received: by 2002:a17:902:bd0c:: with SMTP id p12-v6mr17547pls.44.1516350165748; Fri, 19 Jan 2018 00:22:45 -0800 (PST) Received: from zzz.localdomain (c-67-185-97-198.hsd1.wa.comcast.net. [67.185.97.198]) by smtp.gmail.com with ESMTPSA id z19sm15632878pfh.185.2018.01.19.00.22.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 Jan 2018 00:22:45 -0800 (PST) From: Eric Biggers To: kvm@vger.kernel.org Cc: Paolo Bonzini , =?UTF-8?q?Radim=20Kr=C4=8Dm=C3=A1=C5=99?= , linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, Eric Biggers , stable@vger.kernel.org Subject: [PATCH] KVM: prevent overlap between user and private memslots Date: Fri, 19 Jan 2018 00:18:20 -0800 Message-Id: <20180119081820.30803-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.16.0 In-Reply-To: <94eb2c06f65e7ece95055cf1aafd@google.com> References: <94eb2c06f65e7ece95055cf1aafd@google.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Biggers Memslots must not overlap in guest physical memory, since otherwise some guest physical addresses will not uniquely map to a memslot. Yet, the overlap check in __kvm_set_memory_region() allows a memslot that overlaps one of the "private" memslots, e.g. the memslot reserved for the TSS on x86. This seems to be a very old bug that was introduced years ago when private memory slots were first added. It seems that later refactoring incorrectly assumed this bug was intentional and preserved it. Fix it by removing the loophole for private memslots, so we just check for overlap against all memslots. This bug was found by syzkaller, which used a memslot overlap to make pte_list_remove() be called for the wrong memslot, hitting a BUG(): pte_list_remove: 000000007185ed42 0->BUG kernel BUG at arch/x86/kvm/mmu.c:1209! [...] RIP: 0010:pte_list_remove+0x107/0x110 arch/x86/kvm/mmu.c:1208 [...] Call Trace: mmu_page_zap_pte+0x7e/0xd0 arch/x86/kvm/mmu.c:2499 kvm_mmu_page_unlink_children arch/x86/kvm/mmu.c:2521 [inline] kvm_mmu_prepare_zap_page+0x4f/0x340 arch/x86/kvm/mmu.c:2565 kvm_zap_obsolete_pages arch/x86/kvm/mmu.c:5348 [inline] kvm_mmu_invalidate_zap_all_pages+0xa6/0x100 arch/x86/kvm/mmu.c:5389 kvm_mmu_notifier_release+0x4f/0x80 arch/x86/kvm/../../../virt/kvm/kvm_main.c:468 __mmu_notifier_release+0x63/0x100 mm/mmu_notifier.c:75 mmu_notifier_release include/linux/mmu_notifier.h:244 [inline] exit_mmap+0x160/0x170 mm/mmap.c:3009 __mmput kernel/fork.c:966 [inline] mmput+0x44/0xd0 kernel/fork.c:987 exit_mm kernel/exit.c:544 [inline] do_exit+0x24a/0xb50 kernel/exit.c:856 do_group_exit+0x34/0xb0 kernel/exit.c:972 SYSC_exit_group kernel/exit.c:983 [inline] SyS_exit_group+0xb/0x10 kernel/exit.c:981 entry_SYSCALL_64_fastpath+0x1e/0x8b Reproducer: #include #include #include int main() { static char buf[4096*3] __attribute__((aligned(4096))); int kvm, vm, cpu; struct kvm_mp_state mp_state = { KVM_MP_STATE_SIPI_RECEIVED }; struct kvm_userspace_memory_region memreg = { .memory_size = sizeof(buf), .userspace_addr = (__u64)buf, }; kvm = open("/dev/kvm", O_RDWR); vm = ioctl(kvm, KVM_CREATE_VM, 0); ioctl(vm, KVM_CREATE_IRQCHIP); cpu = ioctl(vm, KVM_CREATE_VCPU, 0); ioctl(cpu, KVM_SET_MP_STATE, &mp_state); ioctl(vm, KVM_SET_TSS_ADDR, 0); ioctl(cpu, KVM_RUN, 0); ioctl(vm, KVM_SET_USER_MEMORY_REGION, &memreg); } Reported-by: syzbot Fixes: e0d62c7f4860 ("KVM: Add kernel-internal memory slots") Cc: # v2.6.25+ Signed-off-by: Eric Biggers --- virt/kvm/kvm_main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 210bf820385a..e536977e7b6d 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -974,8 +974,7 @@ int __kvm_set_memory_region(struct kvm *kvm, /* Check for overlaps */ r = -EEXIST; kvm_for_each_memslot(slot, __kvm_memslots(kvm, as_id)) { - if ((slot->id >= KVM_USER_MEM_SLOTS) || - (slot->id == id)) + if (slot->id == id) continue; if (!((base_gfn + npages <= slot->base_gfn) || (base_gfn >= slot->base_gfn + slot->npages))) -- 2.16.0