| From 06ce521af9558814b8606c0476c54497cf83a653 Mon Sep 17 00:00:00 2001 |
| From: Paolo Bonzini <pbonzini@redhat.com> |
| Date: Tue, 24 Jan 2017 11:56:21 +0100 |
| Subject: kvm: fix page struct leak in handle_vmon |
| |
| From: Paolo Bonzini <pbonzini@redhat.com> |
| |
| commit 06ce521af9558814b8606c0476c54497cf83a653 upstream. |
| |
| handle_vmon gets a reference on VMXON region page, |
| but does not release it. Release the reference. |
| |
| Found by syzkaller; based on a patch by Dmitry. |
| |
| Reported-by: Dmitry Vyukov <dvyukov@google.com> |
| Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> |
| [bwh: Backported to 3.16: use skip_emulated_instruction()] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| arch/x86/kvm/vmx.c | 10 ++++++++-- |
| 1 file changed, 8 insertions(+), 2 deletions(-) |
| |
| --- a/arch/x86/kvm/vmx.c |
| +++ b/arch/x86/kvm/vmx.c |
| @@ -6925,14 +6925,20 @@ static int nested_vmx_check_vmptr(struct |
| } |
| |
| page = nested_get_page(vcpu, vmptr); |
| - if (page == NULL || |
| - *(u32 *)kmap(page) != VMCS12_REVISION) { |
| + if (page == NULL) { |
| nested_vmx_failInvalid(vcpu); |
| + skip_emulated_instruction(vcpu); |
| + return 1; |
| + } |
| + if (*(u32 *)kmap(page) != VMCS12_REVISION) { |
| kunmap(page); |
| + nested_release_page_clean(page); |
| + nested_vmx_failInvalid(vcpu); |
| skip_emulated_instruction(vcpu); |
| return 1; |
| } |
| kunmap(page); |
| + nested_release_page_clean(page); |
| vmx->nested.vmxon_ptr = vmptr; |
| break; |
| case EXIT_REASON_VMCLEAR: |
