Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp2062392ybe; Thu, 12 Sep 2019 04:02:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqxcmWaRcOfPZVn2zCV77ntC/wCc9whyuLI5UZb7gwHXzYXI9kElk/+6BT8LOVCkgQadShI4 X-Received: by 2002:aa7:c6ca:: with SMTP id b10mr41159890eds.233.1568286167988; Thu, 12 Sep 2019 04:02:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568286167; cv=none; d=google.com; s=arc-20160816; b=emfC3Heg53XPqTX9cbPtp/Trw7R76dPq3Ovnj+o8q2Nw0+JOqyNVYNlZBG+GacXrHi bNg6WRS4Ri8Hun87XnVmcoIRHbXHRQBt3u3muBUkokbxCLOJPkmjL1B4Hk6i3dfctaic wasdwz3KUginNfqwnKmWt32wdcVaxr7nDzVMjVcP7n3GhdxnxthsorlnAJ9/bq2VZRNb mx+KsXAiWA2Bw3zCUacsa3aRDMjDgmHfqmHw8NFOzicnwAONwoTMuAdN9gblob3N4tjX +aoB+M2OahPHe1tf3gmkzqIEa9AnBN4+3hdguiyAx4tOc5e+5RVK3sxL46syYdzkzNBs yEVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date:autocrypt :openpgp:from:references:cc:to:subject; bh=ixwWlAS1DKP+D5dshsI5dYpx5NyG/a1ctheE+W/u1Zw=; b=EOMS89zdADVsCiQnx804iiZcF7XDnuOdqcnx2PWwdtWITaCVbCRKJ0Iy30rIv2+OUL Oya0YV1MvM8W/6R4P9DvA5soUA+ps0SbFiBUJzWTlZ4rq4jUt/WCKV5pGB/eQuvO20Si 2WUXo9kfN4IZ97YPX4UDjGZBYbEGdo3YW3K+vLT+XGiXh1X1aRHAFK8ThYi5W1Erh7Ld LQsS+DLRBGfFIdSE8JP1i53zDhsmmoFy8134wBO5XsYHrIvaqmsbRSKTWqzSden5snfh cdCDKM8Gubkday+tBjBMUdJqHE6h1zvnfng/sl7mL8oeyVzpUkRrPbUAd/pG9q/vnBN/ HaZw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h24si14202081ejl.55.2019.09.12.04.02.24; Thu, 12 Sep 2019 04:02:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731211AbfILLAO (ORCPT + 99 others); Thu, 12 Sep 2019 07:00:14 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:12144 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730680AbfILLAO (ORCPT ); Thu, 12 Sep 2019 07:00:14 -0400 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x8CAwK6i104417 for ; Thu, 12 Sep 2019 07:00:12 -0400 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 2uyk3cc45b-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 12 Sep 2019 07:00:11 -0400 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 12 Sep 2019 12:00:08 +0100 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 12 Sep 2019 12:00:04 +0100 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x8CB03OV58196048 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Sep 2019 11:00:03 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C7111A4059; Thu, 12 Sep 2019 11:00:03 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7C390A4051; Thu, 12 Sep 2019 11:00:03 +0000 (GMT) Received: from oc7455500831.ibm.com (unknown [9.152.224.133]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 12 Sep 2019 11:00:03 +0000 (GMT) Subject: Re: [PATCH] KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl To: David Hildenbrand , Thomas Huth , Janosch Frank , kvm@vger.kernel.org Cc: Cornelia Huck , linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org References: <20190912090050.20295-1-thuth@redhat.com> <6905df78-95f0-3d6d-aaae-910cd2d7a232@redhat.com> <253e67f6-0a41-13e8-4ca2-c651d5fcdb69@redhat.com> <982f703f-73f1-30c2-031f-a430de7dc6a9@redhat.com> From: Christian Borntraeger Openpgp: preference=signencrypt Autocrypt: addr=borntraeger@de.ibm.com; prefer-encrypt=mutual; keydata= mQINBE6cPPgBEAC2VpALY0UJjGmgAmavkL/iAdqul2/F9ONz42K6NrwmT+SI9CylKHIX+fdf J34pLNJDmDVEdeb+brtpwC9JEZOLVE0nb+SR83CsAINJYKG3V1b3Kfs0hydseYKsBYqJTN2j CmUXDYq9J7uOyQQ7TNVoQejmpp5ifR4EzwIFfmYDekxRVZDJygD0wL/EzUr8Je3/j548NLyL 4Uhv6CIPf3TY3/aLVKXdxz/ntbLgMcfZsDoHgDk3lY3r1iwbWwEM2+eYRdSZaR4VD+JRD7p8 0FBadNwWnBce1fmQp3EklodGi5y7TNZ/CKdJ+jRPAAnw7SINhSd7PhJMruDAJaUlbYaIm23A +82g+IGe4z9tRGQ9TAflezVMhT5J3ccu6cpIjjvwDlbxucSmtVi5VtPAMTLmfjYp7VY2Tgr+ T92v7+V96jAfE3Zy2nq52e8RDdUo/F6faxcumdl+aLhhKLXgrozpoe2nL0Nyc2uqFjkjwXXI OBQiaqGeWtxeKJP+O8MIpjyGuHUGzvjNx5S/592TQO3phpT5IFWfMgbu4OreZ9yekDhf7Cvn /fkYsiLDz9W6Clihd/xlpm79+jlhm4E3xBPiQOPCZowmHjx57mXVAypOP2Eu+i2nyQrkapaY IdisDQfWPdNeHNOiPnPS3+GhVlPcqSJAIWnuO7Ofw1ZVOyg/jwARAQABtDRDaHJpc3RpYW4g Qm9ybnRyYWVnZXIgKElCTSkgPGJvcm50cmFlZ2VyQGRlLmlibS5jb20+iQI4BBMBAgAiBQJO nDz4AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRARe7yAtaYcfOYVD/9sqc6ZdYKD bmDIvc2/1LL0g7OgiA8pHJlYN2WHvIhUoZUIqy8Sw2EFny/nlpPVWfG290JizNS2LZ0mCeGZ 80yt0EpQNR8tLVzLSSr0GgoY0lwsKhAnx3p3AOrA8WXsPL6prLAu3yJI5D0ym4MJ6KlYVIjU ppi4NLWz7ncA2nDwiIqk8PBGxsjdc/W767zOOv7117rwhaGHgrJ2tLxoGWj0uoH3ZVhITP1z gqHXYaehPEELDV36WrSKidTarfThCWW0T3y4bH/mjvqi4ji9emp1/pOWs5/fmd4HpKW+44tD Yt4rSJRSa8lsXnZaEPaeY3nkbWPcy3vX6qafIey5d8dc8Uyaan39WslnJFNEx8cCqJrC77kI vcnl65HaW3y48DezrMDH34t3FsNrSVv5fRQ0mbEed8hbn4jguFAjPt4az1xawSp0YvhzwATJ YmZWRMa3LPx/fAxoolq9cNa0UB3D3jmikWktm+Jnp6aPeQ2Db3C0cDyxcOQY/GASYHY3KNra z8iwS7vULyq1lVhOXg1EeSm+lXQ1Ciz3ub3AhzE4c0ASqRrIHloVHBmh4favY4DEFN19Xw1p 76vBu6QjlsJGjvROW3GRKpLGogQTLslbjCdIYyp3AJq2KkoKxqdeQYm0LZXjtAwtRDbDo71C FxS7i/qfvWJv8ie7bE9A6Wsjn7kCDQROnDz4ARAAmPI1e8xB0k23TsEg8O1sBCTXkV8HSEq7 JlWz7SWyM8oFkJqYAB7E1GTXV5UZcr9iurCMKGSTrSu3ermLja4+k0w71pLxws859V+3z1jr nhB3dGzVZEUhCr3EuN0t8eHSLSMyrlPL5qJ11JelnuhToT6535cLOzeTlECc51bp5Xf6/XSx SMQaIU1nDM31R13o98oRPQnvSqOeljc25aflKnVkSfqWSrZmb4b0bcWUFFUKVPfQ5Z6JEcJg Hp7qPXHW7+tJTgmI1iM/BIkDwQ8qe3Wz8R6rfupde+T70NiId1M9w5rdo0JJsjKAPePKOSDo RX1kseJsTZH88wyJ30WuqEqH9zBxif0WtPQUTjz/YgFbmZ8OkB1i+lrBCVHPdcmvathknAxS bXL7j37VmYNyVoXez11zPYm+7LA2rvzP9WxR8bPhJvHLhKGk2kZESiNFzP/E4r4Wo24GT4eh YrDo7GBHN82V4O9JxWZtjpxBBl8bH9PvGWBmOXky7/bP6h96jFu9ZYzVgIkBP3UYW+Pb1a+b w4A83/5ImPwtBrN324bNUxPPqUWNW0ftiR5b81ms/rOcDC/k/VoN1B+IHkXrcBf742VOLID4 YP+CB9GXrwuF5KyQ5zEPCAjlOqZoq1fX/xGSsumfM7d6/OR8lvUPmqHfAzW3s9n4lZOW5Jfx bbkAEQEAAYkCHwQYAQIACQUCTpw8+AIbDAAKCRARe7yAtaYcfPzbD/9WNGVf60oXezNzSVCL hfS36l/zy4iy9H9rUZFmmmlBufWOATjiGAXnn0rr/Jh6Zy9NHuvpe3tyNYZLjB9pHT6mRZX7 Z1vDxeLgMjTv983TQ2hUSlhRSc6e6kGDJyG1WnGQaqymUllCmeC/p9q5m3IRxQrd0skfdN1V AMttRwvipmnMduy5SdNayY2YbhWLQ2wS3XHJ39a7D7SQz+gUQfXgE3pf3FlwbwZhRtVR3z5u aKjxqjybS3Ojimx4NkWjidwOaUVZTqEecBV+QCzi2oDr9+XtEs0m5YGI4v+Y/kHocNBP0myd pF3OoXvcWdTb5atk+OKcc8t4TviKy1WCNujC+yBSq3OM8gbmk6NwCwqhHQzXCibMlVF9hq5a FiJb8p4QKSVyLhM8EM3HtiFqFJSV7F+h+2W0kDyzBGyE0D8z3T+L3MOj3JJJkfCwbEbTpk4f n8zMboekuNruDw1OADRMPlhoWb+g6exBWx/YN4AY9LbE2KuaScONqph5/HvJDsUldcRN3a5V RGIN40QWFVlZvkKIEkzlzqpAyGaRLhXJPv/6tpoQaCQQoSAc5Z9kM/wEd9e2zMeojcWjUXgg oWj8A/wY4UXExGBu+UCzzP/6sQRpBiPFgmqPTytrDo/gsUGqjOudLiHQcMU+uunULYQxVghC syiRa+UVlsKmx1hsEg== Date: Thu, 12 Sep 2019 13:00:03 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <982f703f-73f1-30c2-031f-a430de7dc6a9@redhat.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 19091211-0028-0000-0000-0000039B5F6C X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19091211-0029-0000-0000-0000245DCA5C Message-Id: <91dfd032-7529-d9f4-8239-60fa1e06977e@de.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-09-12_05:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1909120117 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12.09.19 12:58, David Hildenbrand wrote: > On 12.09.19 11:20, Thomas Huth wrote: >> On 12/09/2019 11.14, David Hildenbrand wrote: >>> On 12.09.19 11:00, Thomas Huth wrote: >>>> When the userspace program runs the KVM_S390_INTERRUPT ioctl to inject >>>> an interrupt, we convert them from the legacy struct kvm_s390_interrupt >>>> to the new struct kvm_s390_irq via the s390int_to_s390irq() function. >>>> However, this function does not take care of all types of interrupts >>>> that we can inject into the guest later (see do_inject_vcpu()). Since we >>>> do not clear out the s390irq values before calling s390int_to_s390irq(), >>>> there is a chance that we copy unwanted data from the kernel stack >>>> into the guest memory later if the interrupt data has not been properly >>>> initialized by s390int_to_s390irq(). >>>> >>>> Specifically, the problem exists with the KVM_S390_INT_PFAULT_INIT >>>> interrupt: s390int_to_s390irq() does not handle it, but the function >>>> __deliver_pfault_init() will later copy the uninitialized stack data >>>> from the ext.ext_params2 into the guest memory. >>>> >>>> Fix it by handling that interrupt type in s390int_to_s390irq(), too. >>>> And while we're at it, make sure that s390int_to_s390irq() now >>>> directly returns -EINVAL for unknown interrupt types, so that we >>>> do not run into this problem again in case we add more interrupt >>>> types to do_inject_vcpu() sometime in the future. >>>> >>>> Signed-off-by: Thomas Huth >>>> --- >>>> arch/s390/kvm/interrupt.c | 10 ++++++++++ >>>> 1 file changed, 10 insertions(+) >>>> >>>> diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c >>>> index 3e7efdd9228a..165dea4c7f19 100644 >>>> --- a/arch/s390/kvm/interrupt.c >>>> +++ b/arch/s390/kvm/interrupt.c >>>> @@ -1960,6 +1960,16 @@ int s390int_to_s390irq(struct kvm_s390_interrupt *s390int, >>>> case KVM_S390_MCHK: >>>> irq->u.mchk.mcic = s390int->parm64; >>>> break; >>>> + case KVM_S390_INT_PFAULT_INIT: >>>> + irq->u.ext.ext_params = s390int->parm; >>>> + irq->u.ext.ext_params2 = s390int->parm64; >>>> + break; >>>> + case KVM_S390_RESTART: >>>> + case KVM_S390_INT_CLOCK_COMP: >>>> + case KVM_S390_INT_CPU_TIMER: >>>> + break; >>>> + default: >>>> + return -EINVAL; >>>> } >>>> return 0; >>>> } >>>> >>> >>> Wouldn't a safe fix be to initialize the struct to zero in the caller? >> >> That's of course possible, too. But that means that we always have to >> zero out the whole structure, so that's a little bit more of overhead >> (well, it likely doesn't matter for such a legacy ioctl). > > I would vote for doing this as well. Yes, lets also do the designated initializer, add more text to the patch description (or should we not?) add cc stable and I will pick a v2. > >> >> But the more important question: Do we then still care of fixing the >> PFAULT_INIT interrupt here? Since it requires a parameter, the "case >> KVM_S390_INT_PFAULT_INIT:" part would be required here anyway. >> > > That's indeed true. > > Reviewed-by: David Hildenbrand > >> Thomas >> > >