Home Home > GIT Browse > stable
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Slaby <jslaby@suse.cz>2019-02-12 22:18:26 +0100
committerJiri Slaby <jslaby@suse.cz>2019-02-12 22:21:28 +0100
commitdda0bf60bb628c78c69f3bfe3f3106b6a19a6f69 (patch)
tree5d875af0d997a68d56882d6fc0bd48499ca1f2a9
parent0b0755b662cfd98c8b2bf63f48ecd647f221876c (diff)
kvm: fix kvm_ioctl_create_device() reference counting
(CVE-2019-6974) (bnc#1012628).
-rw-r--r--patches.kernel.org/4.20.8-331-kvm-fix-kvm_ioctl_create_device-reference-coun.patch63
-rw-r--r--series.conf1
2 files changed, 64 insertions, 0 deletions
diff --git a/patches.kernel.org/4.20.8-331-kvm-fix-kvm_ioctl_create_device-reference-coun.patch b/patches.kernel.org/4.20.8-331-kvm-fix-kvm_ioctl_create_device-reference-coun.patch
new file mode 100644
index 0000000000..9b031c65c7
--- /dev/null
+++ b/patches.kernel.org/4.20.8-331-kvm-fix-kvm_ioctl_create_device-reference-coun.patch
@@ -0,0 +1,63 @@
+From: Jann Horn <jannh@google.com>
+Date: Sat, 26 Jan 2019 01:54:33 +0100
+Subject: [PATCH] kvm: fix kvm_ioctl_create_device() reference counting
+ (CVE-2019-6974)
+References: bnc#1012628
+Patch-mainline: 4.20.8
+Git-commit: cfa39381173d5f969daf43582c95ad679189cbc9
+
+commit cfa39381173d5f969daf43582c95ad679189cbc9 upstream.
+
+kvm_ioctl_create_device() does the following:
+
+1. creates a device that holds a reference to the VM object (with a borrowed
+ reference, the VM's refcount has not been bumped yet)
+2. initializes the device
+3. transfers the reference to the device to the caller's file descriptor table
+4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
+ reference
+
+The ownership transfer in step 3 must not happen before the reference to the VM
+becomes a proper, non-borrowed reference, which only happens in step 4.
+After step 3, an attacker can close the file descriptor and drop the borrowed
+reference, which can cause the refcount of the kvm object to drop to zero.
+
+This means that we need to grab a reference for the device before
+anon_inode_getfd(), otherwise the VM can disappear from under us.
+
+Fixes: 852b6d57dc7f ("kvm: add device control API")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+---
+ virt/kvm/kvm_main.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index 065ee2fb4034..9fa05ed53944 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -2919,8 +2919,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
+ if (ops->init)
+ ops->init(dev);
+
++ kvm_get_kvm(kvm);
+ ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
+ if (ret < 0) {
++ kvm_put_kvm(kvm);
+ mutex_lock(&kvm->lock);
+ list_del(&dev->vm_node);
+ mutex_unlock(&kvm->lock);
+@@ -2928,7 +2930,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
+ return ret;
+ }
+
+- kvm_get_kvm(kvm);
+ cd->fd = ret;
+ return 0;
+ }
+--
+2.20.1
+
diff --git a/series.conf b/series.conf
index 715b2fbd1a..c4d53280b2 100644
--- a/series.conf
+++ b/series.conf
@@ -1067,6 +1067,7 @@
patches.kernel.org/4.20.8-328-scsi-cxlflash-Prevent-deadlock-when-adapter-pr.patch
patches.kernel.org/4.20.8-329-scsi-aic94xx-fix-module-loading.patch
patches.kernel.org/4.20.8-330-KVM-x86-work-around-leak-of-uninitialized-stac.patch
+ patches.kernel.org/4.20.8-331-kvm-fix-kvm_ioctl_create_device-reference-coun.patch
########################################################
# Build fixes that apply to the vanilla kernel too.