From: Greg Kroah-Hartman Date: Wed, 27 Mar 2024 14:59:45 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v6.7.12~200 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b088760aa95ed2300d355328784274845c355e3;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch --- diff --git a/queue-5.10/kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch b/queue-5.10/kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch new file mode 100644 index 00000000000..cddfc719095 --- /dev/null +++ b/queue-5.10/kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch @@ -0,0 +1,67 @@ +From 5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Fri, 16 Feb 2024 17:34:30 -0800 +Subject: KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region() + +From: Sean Christopherson + +commit 5ef1d8c1ddbf696e47b226e11888eaf8d9e8e807 upstream. + +Do the cache flush of converted pages in svm_register_enc_region() before +dropping kvm->lock to fix use-after-free issues where region and/or its +array of pages could be freed by a different task, e.g. if userspace has +__unregister_enc_region_locked() already queued up for the region. + +Note, the "obvious" alternative of using local variables doesn't fully +resolve the bug, as region->pages is also dynamically allocated. I.e. the +region structure itself would be fine, but region->pages could be freed. + +Flushing multiple pages under kvm->lock is unfortunate, but the entire +flow is a rare slow path, and the manual flush is only needed on CPUs that +lack coherency for encrypted memory. + +Fixes: 19a23da53932 ("Fix unsynchronized access to sev members through svm_register_enc_region") +Reported-by: Gabe Kirkpatrick +Cc: Josh Eads +Cc: Peter Gonda +Cc: stable@vger.kernel.org +Signed-off-by: Sean Christopherson +Message-Id: <20240217013430.2079561-1-seanjc@google.com> +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm/sev.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/arch/x86/kvm/svm/sev.c ++++ b/arch/x86/kvm/svm/sev.c +@@ -1024,20 +1024,22 @@ int svm_register_enc_region(struct kvm * + goto e_free; + } + +- region->uaddr = range->addr; +- region->size = range->size; +- +- list_add_tail(®ion->list, &sev->regions_list); +- mutex_unlock(&kvm->lock); +- + /* + * The guest may change the memory encryption attribute from C=0 -> C=1 + * or vice versa for this memory range. Lets make sure caches are + * flushed to ensure that guest data gets written into memory with +- * correct C-bit. ++ * correct C-bit. Note, this must be done before dropping kvm->lock, ++ * as region and its array of pages can be freed by a different task ++ * once kvm->lock is released. + */ + sev_clflush_pages(region->pages, region->npages); + ++ region->uaddr = range->addr; ++ region->size = range->size; ++ ++ list_add_tail(®ion->list, &sev->regions_list); ++ mutex_unlock(&kvm->lock); ++ + return ret; + + e_free: diff --git a/queue-5.10/series b/queue-5.10/series index c4caa157f1e..5afaa5a259f 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -121,3 +121,4 @@ netfilter-nf_tables-disallow-anonymous-set-with-timeout-flag.patch netfilter-nf_tables-reject-constant-set-with-timeout.patch drivers-hv-vmbus-calculate-ring-buffer-size-for-more-efficient-use-of-memory.patch xfrm-avoid-clang-fortify-warning-in-copy_to_user_tmpl.patch +kvm-svm-flush-pages-under-kvm-lock-to-fix-uaf-in-svm_register_enc_region.patch