cve/published/2021/CVE-2021-47639.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47639: KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU

 Zap both valid and invalid roots when zapping/unmapping a gfn range, as
 KVM must ensure it holds no references to the freed page after returning
 from the unmap operation.  Most notably, the TDP MMU doesn't zap invalid
 roots in mmu_notifier callbacks.  This leads to use-after-free and other
 issues if the mmu_notifier runs to completion while an invalid root
 zapper yields as KVM fails to honor the requirement that there must be
 _no_ references to the page after the mmu_notifier returns.

 The bug is most easily reproduced by hacking KVM to cause a collision
 between set_nx_huge_pages() and kvm_mmu_notifier_release(), but the bug
 exists between kvm_mmu_notifier_invalidate_range_start() and memslot
 updates as well.  Invalidating a root ensures pages aren't accessible by
 the guest, and KVM won't read or write page data itself, but KVM will
 trigger e.g. kvm_set_pfn_dirty() when zapping SPTEs, and thus completing
 a zap of an invalid root _after_ the mmu_notifier returns is fatal.

   WARNING: CPU: 24 PID: 1496 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:173 [kvm]
   RIP: 0010:kvm_is_zone_device_pfn+0x96/0xa0 [kvm]
   Call Trace:
    <TASK>
    kvm_set_pfn_dirty+0xa8/0xe0 [kvm]
    __handle_changed_spte+0x2ab/0x5e0 [kvm]
    __handle_changed_spte+0x2ab/0x5e0 [kvm]
    __handle_changed_spte+0x2ab/0x5e0 [kvm]
    zap_gfn_range+0x1f3/0x310 [kvm]
    kvm_tdp_mmu_zap_invalidated_roots+0x50/0x90 [kvm]
    kvm_mmu_zap_all_fast+0x177/0x1a0 [kvm]
    set_nx_huge_pages+0xb4/0x190 [kvm]
    param_attr_store+0x70/0x100
    module_attr_store+0x19/0x30
    kernfs_fop_write_iter+0x119/0x1b0
    new_sync_write+0x11c/0x1b0
    vfs_write+0x1cc/0x270
    ksys_write+0x5f/0xe0
    do_syscall_64+0x38/0xc0
    entry_SYSCALL_64_after_hwframe+0x44/0xae
    </TASK>

 The Linux kernel CVE team has assigned CVE-2021-47639 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit b7cccd397f310739fb85383033e95580f99927e0 and fixed in 5.15.33 with commit af47248407c0c5ae52a752af1ab5ce5b0db91502
 	Issue introduced in 5.13 with commit b7cccd397f310739fb85383033e95580f99927e0 and fixed in 5.16.19 with commit 0c8a8da182d4333d9bbb9131d765145568c847b2
 	Issue introduced in 5.13 with commit b7cccd397f310739fb85383033e95580f99927e0 and fixed in 5.17.2 with commit 8cf6f98ab1d16d5e607635a0c21c4231eb15367e
 	Issue introduced in 5.13 with commit b7cccd397f310739fb85383033e95580f99927e0 and fixed in 5.18 with commit d62007edf01f5c11f75d0f4b1e538fc52a5b1982

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47639
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/kvm/mmu/tdp_mmu.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/af47248407c0c5ae52a752af1ab5ce5b0db91502
 	https://git.kernel.org/stable/c/0c8a8da182d4333d9bbb9131d765145568c847b2
 	https://git.kernel.org/stable/c/8cf6f98ab1d16d5e607635a0c21c4231eb15367e
 	https://git.kernel.org/stable/c/d62007edf01f5c11f75d0f4b1e538fc52a5b1982
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47639: KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU

	Zap both valid and invalid roots when zapping/unmapping a gfn range, as
	KVM must ensure it holds no references to the freed page after returning
	from the unmap operation. Most notably, the TDP MMU doesn't zap invalid
	roots in mmu_notifier callbacks. This leads to use-after-free and other
	issues if the mmu_notifier runs to completion while an invalid root
	zapper yields as KVM fails to honor the requirement that there must be
	_no_ references to the page after the mmu_notifier returns.

	The bug is most easily reproduced by hacking KVM to cause a collision
	between set_nx_huge_pages() and kvm_mmu_notifier_release(), but the bug
	exists between kvm_mmu_notifier_invalidate_range_start() and memslot
	updates as well. Invalidating a root ensures pages aren't accessible by
	the guest, and KVM won't read or write page data itself, but KVM will
	trigger e.g. kvm_set_pfn_dirty() when zapping SPTEs, and thus completing
	a zap of an invalid root _after_ the mmu_notifier returns is fatal.

	WARNING: CPU: 24 PID: 1496 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:173 [kvm]
	RIP: 0010:kvm_is_zone_device_pfn+0x96/0xa0 [kvm]
	Call Trace:
	<TASK>
	kvm_set_pfn_dirty+0xa8/0xe0 [kvm]
	__handle_changed_spte+0x2ab/0x5e0 [kvm]
	__handle_changed_spte+0x2ab/0x5e0 [kvm]
	__handle_changed_spte+0x2ab/0x5e0 [kvm]
	zap_gfn_range+0x1f3/0x310 [kvm]
	kvm_tdp_mmu_zap_invalidated_roots+0x50/0x90 [kvm]
	kvm_mmu_zap_all_fast+0x177/0x1a0 [kvm]
	set_nx_huge_pages+0xb4/0x190 [kvm]
	param_attr_store+0x70/0x100
	module_attr_store+0x19/0x30
	kernfs_fop_write_iter+0x119/0x1b0
	new_sync_write+0x11c/0x1b0
	vfs_write+0x1cc/0x270
	ksys_write+0x5f/0xe0
	do_syscall_64+0x38/0xc0
	entry_SYSCALL_64_after_hwframe+0x44/0xae
	</TASK>

	The Linux kernel CVE team has assigned CVE-2021-47639 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit b7cccd397f310739fb85383033e95580f99927e0 and fixed in 5.15.33 with commit af47248407c0c5ae52a752af1ab5ce5b0db91502
	Issue introduced in 5.13 with commit b7cccd397f310739fb85383033e95580f99927e0 and fixed in 5.16.19 with commit 0c8a8da182d4333d9bbb9131d765145568c847b2
	Issue introduced in 5.13 with commit b7cccd397f310739fb85383033e95580f99927e0 and fixed in 5.17.2 with commit 8cf6f98ab1d16d5e607635a0c21c4231eb15367e
	Issue introduced in 5.13 with commit b7cccd397f310739fb85383033e95580f99927e0 and fixed in 5.18 with commit d62007edf01f5c11f75d0f4b1e538fc52a5b1982

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47639
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/kvm/mmu/tdp_mmu.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/af47248407c0c5ae52a752af1ab5ce5b0db91502
	https://git.kernel.org/stable/c/0c8a8da182d4333d9bbb9131d765145568c847b2
	https://git.kernel.org/stable/c/8cf6f98ab1d16d5e607635a0c21c4231eb15367e
	https://git.kernel.org/stable/c/d62007edf01f5c11f75d0f4b1e538fc52a5b1982