linux/arch/powerpc/kvm
Michael Ellerman a986fa57fd KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()
Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().

It looks up `stt` from tablefd, but then continues to use it after doing
fdput() on the returned fd. After the fdput() the tablefd is free to be
closed by another thread. The close calls kvm_spapr_tce_release() and
then release_spapr_tce_table() (via call_rcu()) which frees `stt`.

Although there are calls to rcu_read_lock() in
kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent
the UAF, because `stt` is used outside the locked regions.

With an artifcial delay after the fdput() and a userspace program which
triggers the race, KASAN detects the UAF:

  BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]
  Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505
  CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1
  Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV
  Call Trace:
    dump_stack_lvl+0xb4/0x108 (unreliable)
    print_report+0x2b4/0x6ec
    kasan_report+0x118/0x2b0
    __asan_load4+0xb8/0xd0
    kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]
    kvm_vfio_set_attr+0x524/0xac0 [kvm]
    kvm_device_ioctl+0x144/0x240 [kvm]
    sys_ioctl+0x62c/0x1810
    system_call_exception+0x190/0x440
    system_call_vectored_common+0x15c/0x2ec
  ...
  Freed by task 0:
   ...
   kfree+0xec/0x3e0
   release_spapr_tce_table+0xd4/0x11c [kvm]
   rcu_core+0x568/0x16a0
   handle_softirqs+0x23c/0x920
   do_softirq_own_stack+0x6c/0x90
   do_softirq_own_stack+0x58/0x90
   __irq_exit_rcu+0x218/0x2d0
   irq_exit+0x30/0x80
   arch_local_irq_restore+0x128/0x230
   arch_local_irq_enable+0x1c/0x30
   cpuidle_enter_state+0x134/0x5cc
   cpuidle_enter+0x6c/0xb0
   call_cpuidle+0x7c/0x100
   do_idle+0x394/0x410
   cpu_startup_entry+0x60/0x70
   start_secondary+0x3fc/0x410
   start_secondary_prolog+0x10/0x14

Fix it by delaying the fdput() until `stt` is no longer in use, which
is effectively the entire function. To keep the patch minimal add a call
to fdput() at each of the existing return paths. Future work can convert
the function to goto or __cleanup style cleanup.

With the fix in place the test case no longer triggers the UAF.

Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Closes: https://lore.kernel.org/all/20240610024437.GA1464458@ZenIV/
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240614122910.3499489-1-mpe@ellerman.id.au
2024-06-16 10:20:11 +10:00
..
book3s_32_mmu_host.c
book3s_32_mmu.c KVM: Use 'unsigned long' as kvm_for_each_vcpu()'s index 2021-12-08 04:24:15 -05:00
book3s_32_sr.S KVM: PPC: Book3S PR: Enable MSR_DR for switch_mmu_context() 2022-05-11 23:03:16 +10:00
book3s_64_entry.S docs: move powerpc under arch 2023-10-10 13:35:55 -06:00
book3s_64_mmu_host.c KVM: Rename mmu_notifier_* to mmu_invalidate_* 2022-08-19 04:05:41 -04:00
book3s_64_mmu_hv.c KVM: delete .change_pte MMU notifier callback 2024-04-11 13:18:27 -04:00
book3s_64_mmu_radix.c mm/powerpc: replace pXd_is_leaf() with pXd_leaf() 2024-03-06 13:04:19 -08:00
book3s_64_mmu.c KVM: Use 'unsigned long' as kvm_for_each_vcpu()'s index 2021-12-08 04:24:15 -05:00
book3s_64_slb.S
book3s_64_vio.c KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() 2024-06-16 10:20:11 +10:00
book3s_emulate.c powerpc: rename SPRN_HID2 define to SPRN_HID2_750FX 2024-05-08 00:25:00 +10:00
book3s_exports.c
book3s_hv_builtin.c KVM: PPC: Book3S HV: Introduce low level MSR accessor 2023-09-14 22:04:24 +10:00
book3s_hv_hmi.c KVM: PPC: Book3S HV P9: Remove subcore HMI handling 2021-11-24 21:09:03 +11:00
book3s_hv_interrupts.S powerpc: Fix objtool unannotated intra-function call warnings 2022-11-15 20:11:47 +11:00
book3s_hv_nested.c treewide: update LLVM Bugzilla links 2024-02-22 15:38:51 -08:00
book3s_hv_nestedv2.c KVM: PPC: Book3S HV nestedv2: Fix an error handling path in gs_msg_ops_kvmhv_nestedv2_config_fill_info() 2024-05-08 01:28:00 +10:00
book3s_hv_p9_entry.c KVM: PPC: Use accessors for VCPU registers 2023-09-14 22:04:24 +10:00
book3s_hv_p9_perf.c powerpc/kvm: Remove comment related to moving PMU code to perf subsystem 2022-07-20 22:28:31 +10:00
book3s_hv_ras.c KVM: PPC: Use accessors for VCORE registers 2023-09-14 22:04:24 +10:00
book3s_hv_rm_mmu.c KVM: PPC: Always use the GPR accessors 2023-09-14 22:04:23 +10:00
book3s_hv_rm_xics.c genirq: Convert kstat_irqs to a struct 2024-04-12 17:08:05 +02:00
book3s_hv_rmhandlers.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
book3s_hv_tm_builtin.c
book3s_hv_tm.c KVM: PPC: Book3S HV Nested: Fix TM softpatch HFAC interrupt emulation 2021-08-25 16:37:17 +10:00
book3s_hv_uvmem.c KVM: PPC: Book3s HV: Hold LPIDs in an unsigned long 2023-09-14 22:04:24 +10:00
book3s_hv.c powerpc updates for 6.10 2024-05-17 09:05:46 -07:00
book3s_hv.h KVM: PPC: Add support for nestedv2 guests 2023-09-14 22:04:24 +10:00
book3s_interrupts.S powerpc: Replace PPC64_ELF_ABI_v{1/2} by CONFIG_PPC64_ELF_ABI_V{1/2} 2022-05-19 23:11:29 +10:00
book3s_mmu_hpte.c
book3s_paired_singles.c KVM: PPC: Make kvmppc_get_last_inst() produce a ppc_inst_t 2023-04-03 15:45:41 +10:00
book3s_pr_papr.c KVM: remove KVM_REQ_UNHALT 2022-09-26 12:37:21 -04:00
book3s_pr.c KVM: delete .change_pte MMU notifier callback 2024-04-11 13:18:27 -04:00
book3s_rmhandlers.S KVM: PPC: Enable prefixed instructions for HV KVM and disable for PR KVM 2023-04-03 15:45:59 +10:00
book3s_rtas.c KVM: Add helpers to wrap vcpu->srcu_idx and yell if it's abused 2022-04-21 13:16:11 -04:00
book3s_segment.S
book3s_xics.c powerpc: fix typos in comments 2022-05-05 22:12:44 +10:00
book3s_xics.h KVM: PPC: Book3s: Fix warning about xics_rm_h_xirr_x 2022-06-24 12:58:33 +10:00
book3s_xive_native.c powerpc: Use NULL instead of 0 for null pointers 2023-10-19 17:12:47 +11:00
book3s_xive.c powerpc: Fix typos 2024-05-08 00:21:30 +10:00
book3s_xive.h powerpc/xive: remove unused parameter 2022-11-24 23:12:18 +11:00
book3s.c powerpc updates for 6.10 2024-05-17 09:05:46 -07:00
book3s.h KVM: delete .change_pte MMU notifier callback 2024-04-11 13:18:27 -04:00
booke_emulate.c
booke_interrupts.S powerpc: Remove CONFIG_FSL_BOOKE 2022-09-26 22:47:37 +10:00
booke.c KVM: PPC: Fetch prefixed instructions from the guest 2023-04-03 15:45:50 +10:00
booke.h KVM: PPC: BookE: Fix W=1 warnings 2023-04-03 14:54:20 +10:00
bookehv_interrupts.S KVM: PPC: Fetch prefixed instructions from the guest 2023-04-03 15:45:50 +10:00
e500_emulate.c KVM: Use 'unsigned long' as kvm_for_each_vcpu()'s index 2021-12-08 04:24:15 -05:00
e500_mmu_host.c KVM: delete .change_pte MMU notifier callback 2024-04-11 13:18:27 -04:00
e500_mmu_host.h
e500_mmu.c
e500.c KVM: Drop kvm_arch_check_processor_compat() hook 2022-12-29 15:41:28 -05:00
e500.h powerpc: Remove CONFIG_PPC_BOOK3E_MMU 2022-09-26 23:00:14 +10:00
e500mc.c powerpc/inst: add PPC_TLBILX_LPID 2023-08-16 23:54:48 +10:00
emulate_loadstore.c KVM: PPC: Reduce reliance on analyse_instr() in mmio emulation 2023-12-07 23:33:08 +11:00
emulate.c KVM: PPC: Fetch prefixed instructions from the guest 2023-04-03 15:45:50 +10:00
fpu.S powerpc/32: Fix objtool unannotated intra-function call warnings 2022-11-18 19:00:06 +11:00
guest-state-buffer.c KVM: PPC: Add support for nestedv2 guests 2023-09-14 22:04:24 +10:00
Kconfig kvm: move "select IRQ_BYPASS_MANAGER" to common code 2024-02-08 08:45:34 -05:00
Makefile KVM: PPC: Add support for nestedv2 guests 2023-09-14 22:04:24 +10:00
mpic.c
powerpc.c KVM: Get rid of return value from kvm_arch_create_vm_debugfs() 2024-02-23 21:44:58 +00:00
test-guest-state-buffer.c KVM: PPC: Add helper library for Guest State Buffers 2023-09-14 22:04:24 +10:00
timing.c KVM: PPC: Merge powerpc's debugfs entry content into generic entry 2022-02-02 20:30:26 +11:00
timing.h KVM: PPC: Merge powerpc's debugfs entry content into generic entry 2022-02-02 20:30:26 +11:00
tm.S powerpc: replace #include <asm/export.h> with #include <linux/export.h> 2023-08-16 23:54:48 +10:00
trace_book3s.h
trace_booke.h
trace_hv.h KVM: PPC: Book3S HV: tracing: Add missing hcall names 2022-06-29 19:21:29 +10:00
trace_pr.h
trace.h