Home Home > GIT Browse > SLE11-SP4
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Hocko <mhocko@suse.com>2019-01-14 13:15:23 +0100
committerMichal Hocko <mhocko@suse.com>2019-01-14 13:15:23 +0100
commit028c78358ecc40a60fc59e0ea3973c16ae6366fe (patch)
treeef405ba371371651ca7c9bcee7b069408c5b5703
parentd2d2d8b13ebab3e45672115b33901041b3cfd830 (diff)
parent19bbc5de7de30de342ff0eb0b5216159bc2e9ef7 (diff)
Merge remote-tracking branch 'origin/users/jroedel/SLE11-SP4/for-next' into users/mhocko/SLE11-SP4/for-next
-rw-r--r--patches.arch/kvm-x86-fix-scan-ioapic-use-before-initialization112
-rw-r--r--series.conf4
2 files changed, 116 insertions, 0 deletions
diff --git a/patches.arch/kvm-x86-fix-scan-ioapic-use-before-initialization b/patches.arch/kvm-x86-fix-scan-ioapic-use-before-initialization
new file mode 100644
index 0000000000..be33122b3f
--- /dev/null
+++ b/patches.arch/kvm-x86-fix-scan-ioapic-use-before-initialization
@@ -0,0 +1,112 @@
+From: Wanpeng Li <wanpengli@tencent.com>
+Date: Tue, 20 Nov 2018 16:34:18 +0800
+Subject: KVM: X86: Fix scan ioapic use-before-initialization
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Git-commit: e97f852fd4561e77721bb9a4e0ea9d98305b1e93
+Patch-mainline: v4.20-rc5
+References: CVE-2018-19407 bsc#1116841
+
+Reported by syzkaller:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8
+ PGD 80000003ec4da067 P4D 80000003ec4da067 PUD 3f7bfa067 PMD 0
+ Oops: 0000 [#1] PREEMPT SMP PTI
+ CPU: 7 PID: 5059 Comm: debug Tainted: G OE 4.19.0-rc5 #16
+ RIP: 0010:__lock_acquire+0x1a6/0x1990
+ Call Trace:
+ lock_acquire+0xdb/0x210
+ _raw_spin_lock+0x38/0x70
+ kvm_ioapic_scan_entry+0x3e/0x110 [kvm]
+ vcpu_enter_guest+0x167e/0x1910 [kvm]
+ kvm_arch_vcpu_ioctl_run+0x35c/0x610 [kvm]
+ kvm_vcpu_ioctl+0x3e9/0x6d0 [kvm]
+ do_vfs_ioctl+0xa5/0x690
+ ksys_ioctl+0x6d/0x80
+ __x64_sys_ioctl+0x1a/0x20
+ do_syscall_64+0x83/0x6e0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+The reason is that the testcase writes hyperv synic HV_X64_MSR_SINT6 msr
+and triggers scan ioapic logic to load synic vectors into EOI exit bitmap.
+However, irqchip is not initialized by this simple testcase, ioapic/apic
+objects should not be accessed.
+This can be triggered by the following program:
+
+ #define _GNU_SOURCE
+
+ #include <endian.h>
+ #include <stdint.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <sys/syscall.h>
+ #include <sys/types.h>
+ #include <unistd.h>
+
+ uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff};
+
+ int main(void)
+ {
+ syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+ long res = 0;
+ memcpy((void*)0x20000040, "/dev/kvm", 9);
+ res = syscall(__NR_openat, 0xffffffffffffff9c, 0x20000040, 0, 0);
+ if (res != -1)
+ r[0] = res;
+ res = syscall(__NR_ioctl, r[0], 0xae01, 0);
+ if (res != -1)
+ r[1] = res;
+ res = syscall(__NR_ioctl, r[1], 0xae41, 0);
+ if (res != -1)
+ r[2] = res;
+ memcpy(
+ (void*)0x20000080,
+ "\x01\x00\x00\x00\x00\x5b\x61\xbb\x96\x00\x00\x40\x00\x00\x00\x00\x01\x00"
+ "\x08\x00\x00\x00\x00\x00\x0b\x77\xd1\x78\x4d\xd8\x3a\xed\xb1\x5c\x2e\x43"
+ "\xaa\x43\x39\xd6\xff\xf5\xf0\xa8\x98\xf2\x3e\x37\x29\x89\xde\x88\xc6\x33"
+ "\xfc\x2a\xdb\xb7\xe1\x4c\xac\x28\x61\x7b\x9c\xa9\xbc\x0d\xa0\x63\xfe\xfe"
+ "\xe8\x75\xde\xdd\x19\x38\xdc\x34\xf5\xec\x05\xfd\xeb\x5d\xed\x2e\xaf\x22"
+ "\xfa\xab\xb7\xe4\x42\x67\xd0\xaf\x06\x1c\x6a\x35\x67\x10\x55\xcb",
+ 106);
+ syscall(__NR_ioctl, r[2], 0x4008ae89, 0x20000080);
+ syscall(__NR_ioctl, r[2], 0xae80, 0);
+ return 0;
+ }
+
+This patch fixes it by bailing out scan ioapic if ioapic is not initialized in
+kernel.
+
+Reported-by: Wei Wu <ww9210@gmail.com>
+Cc: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Radim Krčmář <rkrcmar@redhat.com>
+Cc: Wei Wu <ww9210@gmail.com>
+Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Acked-by: Joerg Roedel <jroedel@suse.de>
+---
+ arch/x86/kvm/x86.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -564,6 +564,7 @@ static void kvm_put_guest_xcr0(struct kv
+
+ static void vcpu_scan_ioapic(struct kvm_vcpu *vcpu)
+ {
++ struct kvm *kvm = vcpu->kvm;
+ u64 eoi_exit_bitmap[4];
+ u32 tmr[8];
+
+@@ -573,7 +574,8 @@ static void vcpu_scan_ioapic(struct kvm_
+ memset(eoi_exit_bitmap, 0, 32);
+ memset(tmr, 0, 32);
+
+- kvm_ioapic_scan_entry(vcpu, eoi_exit_bitmap, tmr);
++ if (kvm->arch.vioapic != NULL)
++ kvm_ioapic_scan_entry(vcpu, eoi_exit_bitmap, tmr);
+ kvm_x86_ops->load_eoi_exitmap(vcpu, eoi_exit_bitmap);
+ kvm_apic_update_tmr(vcpu, tmr);
+ }
diff --git a/series.conf b/series.conf
index 5f25b35fbd..7851307ae4 100644
--- a/series.conf
+++ b/series.conf
@@ -25586,6 +25586,10 @@
patches.fixes/block-allow-gendisk-s-request_queue-registration-to-.patch
patches.fixes/dm-fix-incomplete-request_queue-initialization.patch
patches.fixes/dm-only-initialize-the-request_queue-once.patch
+
+ # bsc#1116841, CVE-2018-19407
+ patches.arch/kvm-x86-fix-scan-ioapic-use-before-initialization
+
########################################################
# You'd better have a good reason for adding a patch
# below here.