KVM: coalesced_mmio: add bounds checking (CVE-2019-14821)
This commit is contained in:
parent
c0096a08f9
commit
942d6ddd3f
|
@ -8,6 +8,7 @@ linux (4.19.67-2+deb10u1) UNRELEASED; urgency=medium
|
||||||
[ Salvatore Bonaccorso ]
|
[ Salvatore Bonaccorso ]
|
||||||
* vhost: make sure log_num < in_num (CVE-2019-14835)
|
* vhost: make sure log_num < in_num (CVE-2019-14835)
|
||||||
* [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902)
|
* [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902)
|
||||||
|
* KVM: coalesced_mmio: add bounds checking (CVE-2019-14821)
|
||||||
|
|
||||||
-- Romain Perier <romain.perier@gmail.com> Wed, 28 Aug 2019 13:28:09 +0200
|
-- Romain Perier <romain.perier@gmail.com> Wed, 28 Aug 2019 13:28:09 +0200
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,79 @@
|
||||||
|
From: Matt Delco <delco@chromium.org>
|
||||||
|
Date: Mon, 16 Sep 2019 14:16:54 -0700
|
||||||
|
Subject: KVM: coalesced_mmio: add bounds checking
|
||||||
|
Origin: https://git.kernel.org/linus/b60fe990c6b07ef6d4df67bc0530c7c90a62623a
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14821
|
||||||
|
|
||||||
|
The first/last indexes are typically shared with a user app.
|
||||||
|
The app can change the 'last' index that the kernel uses
|
||||||
|
to store the next result. This change sanity checks the index
|
||||||
|
before using it for writing to a potentially arbitrary address.
|
||||||
|
|
||||||
|
This fixes CVE-2019-14821.
|
||||||
|
|
||||||
|
Cc: stable@vger.kernel.org
|
||||||
|
Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)")
|
||||||
|
Signed-off-by: Matt Delco <delco@chromium.org>
|
||||||
|
Signed-off-by: Jim Mattson <jmattson@google.com>
|
||||||
|
Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
|
||||||
|
[Use READ_ONCE. - Paolo]
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
[Salvatore Bonaccorso: backport to 4.19: Adjust for context changes, cherry-pick
|
||||||
|
commit from stable-queue for 4.19.75]
|
||||||
|
---
|
||||||
|
virt/kvm/coalesced_mmio.c | 17 ++++++++++-------
|
||||||
|
1 file changed, 10 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
--- a/virt/kvm/coalesced_mmio.c
|
||||||
|
+++ b/virt/kvm/coalesced_mmio.c
|
||||||
|
@@ -40,7 +40,7 @@ static int coalesced_mmio_in_range(struc
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
|
||||||
|
+static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last)
|
||||||
|
{
|
||||||
|
struct kvm_coalesced_mmio_ring *ring;
|
||||||
|
unsigned avail;
|
||||||
|
@@ -52,7 +52,7 @@ static int coalesced_mmio_has_room(struc
|
||||||
|
* there is always one unused entry in the buffer
|
||||||
|
*/
|
||||||
|
ring = dev->kvm->coalesced_mmio_ring;
|
||||||
|
- avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX;
|
||||||
|
+ avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX;
|
||||||
|
if (avail == 0) {
|
||||||
|
/* full */
|
||||||
|
return 0;
|
||||||
|
@@ -67,24 +67,27 @@ static int coalesced_mmio_write(struct k
|
||||||
|
{
|
||||||
|
struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
|
||||||
|
struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
|
||||||
|
+ __u32 insert;
|
||||||
|
|
||||||
|
if (!coalesced_mmio_in_range(dev, addr, len))
|
||||||
|
return -EOPNOTSUPP;
|
||||||
|
|
||||||
|
spin_lock(&dev->kvm->ring_lock);
|
||||||
|
|
||||||
|
- if (!coalesced_mmio_has_room(dev)) {
|
||||||
|
+ insert = READ_ONCE(ring->last);
|
||||||
|
+ if (!coalesced_mmio_has_room(dev, insert) ||
|
||||||
|
+ insert >= KVM_COALESCED_MMIO_MAX) {
|
||||||
|
spin_unlock(&dev->kvm->ring_lock);
|
||||||
|
return -EOPNOTSUPP;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* copy data in first free entry of the ring */
|
||||||
|
|
||||||
|
- ring->coalesced_mmio[ring->last].phys_addr = addr;
|
||||||
|
- ring->coalesced_mmio[ring->last].len = len;
|
||||||
|
- memcpy(ring->coalesced_mmio[ring->last].data, val, len);
|
||||||
|
+ ring->coalesced_mmio[insert].phys_addr = addr;
|
||||||
|
+ ring->coalesced_mmio[insert].len = len;
|
||||||
|
+ memcpy(ring->coalesced_mmio[insert].data, val, len);
|
||||||
|
smp_wmb();
|
||||||
|
- ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX;
|
||||||
|
+ ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX;
|
||||||
|
spin_unlock(&dev->kvm->ring_lock);
|
||||||
|
return 0;
|
||||||
|
}
|
|
@ -166,6 +166,7 @@ bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch
|
||||||
bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch
|
bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch
|
||||||
bugfix/all/vhost-make-sure-log_num-in_num.patch
|
bugfix/all/vhost-make-sure-log_num-in_num.patch
|
||||||
bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch
|
bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch
|
||||||
|
bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||||
|
|
Loading…
Reference in New Issue