Home Explore Help
Register Sign In
Apq
/
pve-edge-kernel
mirror of https://github.com/fabianishere/pve-edge-kernel.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: c19df7fe61
Branches Tags
pve-edge-kernel
/
patches
/
kernel
/
0012-kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch

0012-kvm-fix-kvm_ioctl_create_device-reference-counting-C.patch 2.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 
  1. From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Jann Horn <[email protected]>
    3. 

  3. Date: Mon, 25 Feb 2019 11:48:05 +0000
    4. 

  4. Subject: [PATCH] kvm: fix kvm_ioctl_create_device() reference counting
    5. 

  5.  (CVE-2019-6974)
    6. 

  6. 

  7. kvm_ioctl_create_device() does the following:
    8. 

  8. 

  9. 1. creates a device that holds a reference to the VM object (with a borrowed
    10. 

  10.    reference, the VM's refcount has not been bumped yet)
    11. 

  11. 2. initializes the device
    12. 

  12. 3. transfers the reference to the device to the caller's file descriptor table
    13. 

  13. 4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
    14. 

  14.    reference
    15. 

  15. 

  16. The ownership transfer in step 3 must not happen before the reference to the VM
    17. 

  17. becomes a proper, non-borrowed reference, which only happens in step 4.
    18. 

  18. After step 3, an attacker can close the file descriptor and drop the borrowed
    19. 

  19. reference, which can cause the refcount of the kvm object to drop to zero.
    20. 

  20. 

  21. This means that we need to grab a reference for the device before
    22. 

  22. anon_inode_getfd(), otherwise the VM can disappear from under us.
    23. 

  23. 

  24. Fixes: 852b6d57dc7f ("kvm: add device control API")
    25. 

  25. Cc: [email protected]
    26. 

  26. Signed-off-by: Jann Horn <[email protected]>
    27. 

  27. Signed-off-by: Paolo Bonzini <[email protected]>
    28. 

  28. 

  29. CVE-2019-6974
    30. 

  30. 

  31. (cherry picked from commit cfa39381173d5f969daf43582c95ad679189cbc9)
    32. 

  32. Signed-off-by: Tyler Hicks <[email protected]>
    33. 

  33. Signed-off-by: Thomas Lamprecht <[email protected]>
    34. 

  34. ---
    35. 

  35.  virt/kvm/kvm_main.c | 3 ++-
    36. 

  36.  1 file changed, 2 insertions(+), 1 deletion(-)
    37. 

  37. 

  38. diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
    39. 

  39. index 234d03abcb75..238ddbc127e1 100644
    40. 

  40. --- a/virt/kvm/kvm_main.c
    41. 

  41. +++ b/virt/kvm/kvm_main.c
    42. 

  42. @@ -2908,8 +2908,10 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
    43. 

  43.  	if (ops->init)
    44. 

  44.  		ops->init(dev);
    45. 

  45.  
    46. 

  46. +	kvm_get_kvm(kvm);
    47. 

  47.  	ret = anon_inode_getfd(ops->name, &kvm_device_fops, dev, O_RDWR | O_CLOEXEC);
    48. 

  48.  	if (ret < 0) {
    49. 

  49. +		kvm_put_kvm(kvm);
    50. 

  50.  		mutex_lock(&kvm->lock);
    51. 

  51.  		list_del(&dev->vm_node);
    52. 

  52.  		mutex_unlock(&kvm->lock);
    53. 

  53. @@ -2917,7 +2919,6 @@ static int kvm_ioctl_create_device(struct kvm *kvm,
    54. 

  54.  		return ret;
    55. 

  55.  	}
    56. 

  56.  
    57. 

  57. -	kvm_get_kvm(kvm);
    58. 

  58.  	cd->fd = ret;
    59. 

  59.  	return 0;
    60. 

  60.  }
    61.