Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp8240641imu; Fri, 28 Dec 2018 13:29:10 -0800 (PST) X-Google-Smtp-Source: ALg8bN76FY5JwyeNmC2oTeWKNCpfx0JxPJO75CVgOIVnz1U7jNLCgrIfzAfhk2gmXBXYV1DDO5yC X-Received: by 2002:a63:7418:: with SMTP id p24mr28105713pgc.196.1546032550115; Fri, 28 Dec 2018 13:29:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546032550; cv=none; d=google.com; s=arc-20160816; b=ySqBixOYLNOSRctZMvBX6+2N0yomnqPu29OZrKrravWTk2fe7l+/wY5YP7l0Qc0+2J 4BCsaRvWWy/B/4U1PKtgbkjCHRMbT9rOoc1hK4oJXrCbeGyrvaFDzT9dB4CG4vChHcpT 2lRwrBMYplmWy9eZqBA5Xas3RjKkQwz7F99c9z96OYTCkg0srPCkjvEMMcT6c8yuMlLR fVy9TZS7WcejnYW7vDLZCubOA14lkwTgKkjN/7yAVQxGKqNj3a+/8FX7sHoweBFQnauV p0yvMzLseoXmQNyEL64ZyK9K1dBPhHyZd6LE7FCMNyuE/8nFtBMnUkGM6HtvyoueUYnU y9yA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=L7YgVZdakGxDvexv+YSWxGz5aIK6ULzgru8JIaGjV9U=; b=wDbK9CoF5ddqr43/sekcFVooXRzRZAXkpVN/zPuyOQ2KYFLyCfoXjQZ74vmRDAUj2J EEvr34B9opx67maoMjzgLHgsIi9bnRtEFWbY22D3hvYr/XzmFssgpeQXkta2vdJxF1oA CkcXVC2yt7/5+BbDs+as05xflGVcrUuzEsgtuFyxJ6gjuw6bd4qunCgJzpAhutevKu85 E9f/3Z3zQ60bExJ1Vcg60o5UYwCrgCx33UuVRrE22zU6O4mlWeUv6JNSopgS7208yFLv v3lEzcyG4wzbCuqyd6eHd1Fw3LQVlhx19Ojo7QhHHGamKwrqxrXYzL+vkAwdueHbcrUz eL2g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2hhwqGpA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b6si33652111pls.367.2018.12.28.13.28.55; Fri, 28 Dec 2018 13:29:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2hhwqGpA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732378AbeL1Lxw (ORCPT + 99 others); Fri, 28 Dec 2018 06:53:52 -0500 Received: from mail.kernel.org ([198.145.29.99]:53646 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732355AbeL1Lxr (ORCPT ); Fri, 28 Dec 2018 06:53:47 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D0F522184B; Fri, 28 Dec 2018 11:53:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1545998027; bh=CaWrM62sch6+VvXaJPJWTlKApH4KE+8iNIcocfYSH5U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=2hhwqGpAGa+UJmDQSd0y61DprC1bnjHcIUuFvKwFxi5c4cvgsKMWk3eMfPgy0H5dZ 45HOPmdOj/We5jh17/W30n2AhWsMvfvF1ZCXUFB6efs2avrhmwQWJI2qzowejRk2yi 6x6trpRq5ijJu5lV7Xe1aea9CmSr91WaPfq7YB0Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andy Honig , Cfir Cohen , Liran Alon , Paolo Bonzini Subject: [PATCH 4.19 23/46] KVM: Fix UAF in nested posted interrupt processing Date: Fri, 28 Dec 2018 12:52:17 +0100 Message-Id: <20181228113126.119876474@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20181228113124.971620049@linuxfoundation.org> References: <20181228113124.971620049@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Cfir Cohen commit c2dd5146e9fe1f22c77c1b011adf84eea0245806 upstream. nested_get_vmcs12_pages() processes the posted_intr address in vmcs12. It caches the kmap()ed page object and pointer, however, it doesn't handle errors correctly: it's possible to cache a valid pointer, then release the page and later dereference the dangling pointer. I was able to reproduce with the following steps: 1. Call vmlaunch with valid posted_intr_desc_addr but an invalid MSR_EFER. This causes nested_get_vmcs12_pages() to cache the kmap()ed pi_desc_page and pi_desc. Later the invalid EFER value fails check_vmentry_postreqs() which fails the first vmlaunch. 2. Call vmlanuch with a valid EFER but an invalid posted_intr_desc_addr (I set it to 2G - 0x80). The second time we call nested_get_vmcs12_pages pi_desc_page is unmapped and released and pi_desc_page is set to NULL (the "shouldn't happen" clause). Due to the invalid posted_intr_desc_addr, kvm_vcpu_gpa_to_page() fails and nested_get_vmcs12_pages() returns. It doesn't return an error value so vmlaunch proceeds. Note that at this time we have a dangling pointer in vmx->nested.pi_desc and POSTED_INTR_DESC_ADDR in L0's vmcs. 3. Issue an IPI in L2 guest code. This triggers a call to vmx_complete_nested_posted_interrupt() and pi_test_and_clear_on() which dereferences the dangling pointer. Vulnerable code requires nested and enable_apicv variables to be set to true. The host CPU must also support posted interrupts. Fixes: 5e2f30b756a37 "KVM: nVMX: get rid of nested_get_page()" Cc: stable@vger.kernel.org Reviewed-by: Andy Honig Signed-off-by: Cfir Cohen Reviewed-by: Liran Alon Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/vmx.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -11471,6 +11471,8 @@ static void nested_get_vmcs12_pages(stru kunmap(vmx->nested.pi_desc_page); kvm_release_page_dirty(vmx->nested.pi_desc_page); vmx->nested.pi_desc_page = NULL; + vmx->nested.pi_desc = NULL; + vmcs_write64(POSTED_INTR_DESC_ADDR, -1ull); } page = kvm_vcpu_gpa_to_page(vcpu, vmcs12->posted_intr_desc_addr); if (is_error_page(page))