cve/published/2022/CVE-2022-49882.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49882: KVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 KVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache

 Reject kvm_gpc_check() and kvm_gpc_refresh() if the cache is inactive.
 Not checking the active flag during refresh is particularly egregious, as
 KVM can end up with a valid, inactive cache, which can lead to a variety
 of use-after-free bugs, e.g. consuming a NULL kernel pointer or missing
 an mmu_notifier invalidation due to the cache not being on the list of
 gfns to invalidate.

 Note, "active" needs to be set if and only if the cache is on the list
 of caches, i.e. is reachable via mmu_notifier events.  If a relevant
 mmu_notifier event occurs while the cache is "active" but not on the
 list, KVM will not acquire the cache's lock and so will not serailize
 the mmu_notifier event with active users and/or kvm_gpc_refresh().

 A race between KVM_XEN_ATTR_TYPE_SHARED_INFO and KVM_XEN_HVM_EVTCHN_SEND
 can be exploited to trigger the bug.

 1. Deactivate shinfo cache:

 kvm_xen_hvm_set_attr
 case KVM_XEN_ATTR_TYPE_SHARED_INFO
  kvm_gpc_deactivate
   kvm_gpc_unmap
    gpc->valid = false
    gpc->khva = NULL
   gpc->active = false

 Result: active = false, valid = false

 2. Cause cache refresh:

 kvm_arch_vm_ioctl
 case KVM_XEN_HVM_EVTCHN_SEND
  kvm_xen_hvm_evtchn_send
   kvm_xen_set_evtchn
    kvm_xen_set_evtchn_fast
     kvm_gpc_check
     return -EWOULDBLOCK because !gpc->valid
    kvm_xen_set_evtchn_fast
     return -EWOULDBLOCK
    kvm_gpc_refresh
     hva_to_pfn_retry
      gpc->valid = true
      gpc->khva = not NULL

 Result: active = false, valid = true

 3. Race ioctl KVM_XEN_HVM_EVTCHN_SEND against ioctl
 KVM_XEN_ATTR_TYPE_SHARED_INFO:

 kvm_arch_vm_ioctl
 case KVM_XEN_HVM_EVTCHN_SEND
  kvm_xen_hvm_evtchn_send
   kvm_xen_set_evtchn
    kvm_xen_set_evtchn_fast
     read_lock gpc->lock
                                           kvm_xen_hvm_set_attr case
                                           KVM_XEN_ATTR_TYPE_SHARED_INFO
                                            mutex_lock kvm->lock
                                            kvm_xen_shared_info_init
                                             kvm_gpc_activate
                                              gpc->khva = NULL
     kvm_gpc_check
      [ Check passes because gpc->valid is
        still true, even though gpc->khva
        is already NULL. ]
     shinfo = gpc->khva
     pending_bits = shinfo->evtchn_pending
     CRASH: test_and_set_bit(..., pending_bits)

 The Linux kernel CVE team has assigned CVE-2022-49882 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.17 with commit 982ed0de4753ed6e71dbd40f82a5a066baf133ed and fixed in 6.0.8 with commit bfa9672f8fc9eb118124bab61899d2dd497f95ba
 	Issue introduced in 5.17 with commit 982ed0de4753ed6e71dbd40f82a5a066baf133ed and fixed in 6.1 with commit ecbcf030b45666ad11bc98565e71dfbcb7be4393

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49882
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	virt/kvm/pfncache.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/bfa9672f8fc9eb118124bab61899d2dd497f95ba
 	https://git.kernel.org/stable/c/ecbcf030b45666ad11bc98565e71dfbcb7be4393
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49882: KVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	KVM: Reject attempts to consume or refresh inactive gfn_to_pfn_cache

	Reject kvm_gpc_check() and kvm_gpc_refresh() if the cache is inactive.
	Not checking the active flag during refresh is particularly egregious, as
	KVM can end up with a valid, inactive cache, which can lead to a variety
	of use-after-free bugs, e.g. consuming a NULL kernel pointer or missing
	an mmu_notifier invalidation due to the cache not being on the list of
	gfns to invalidate.

	Note, "active" needs to be set if and only if the cache is on the list
	of caches, i.e. is reachable via mmu_notifier events. If a relevant
	mmu_notifier event occurs while the cache is "active" but not on the
	list, KVM will not acquire the cache's lock and so will not serailize
	the mmu_notifier event with active users and/or kvm_gpc_refresh().

	A race between KVM_XEN_ATTR_TYPE_SHARED_INFO and KVM_XEN_HVM_EVTCHN_SEND
	can be exploited to trigger the bug.

	1. Deactivate shinfo cache:

	kvm_xen_hvm_set_attr
	case KVM_XEN_ATTR_TYPE_SHARED_INFO
	kvm_gpc_deactivate
	kvm_gpc_unmap
	gpc->valid = false
	gpc->khva = NULL
	gpc->active = false

	Result: active = false, valid = false

	2. Cause cache refresh:

	kvm_arch_vm_ioctl
	case KVM_XEN_HVM_EVTCHN_SEND
	kvm_xen_hvm_evtchn_send
	kvm_xen_set_evtchn
	kvm_xen_set_evtchn_fast
	kvm_gpc_check
	return -EWOULDBLOCK because !gpc->valid
	kvm_xen_set_evtchn_fast
	return -EWOULDBLOCK
	kvm_gpc_refresh
	hva_to_pfn_retry
	gpc->valid = true
	gpc->khva = not NULL

	Result: active = false, valid = true

	3. Race ioctl KVM_XEN_HVM_EVTCHN_SEND against ioctl
	KVM_XEN_ATTR_TYPE_SHARED_INFO:

	kvm_arch_vm_ioctl
	case KVM_XEN_HVM_EVTCHN_SEND
	kvm_xen_hvm_evtchn_send
	kvm_xen_set_evtchn
	kvm_xen_set_evtchn_fast
	read_lock gpc->lock
	kvm_xen_hvm_set_attr case
	KVM_XEN_ATTR_TYPE_SHARED_INFO
	mutex_lock kvm->lock
	kvm_xen_shared_info_init
	kvm_gpc_activate
	gpc->khva = NULL
	kvm_gpc_check
	[ Check passes because gpc->valid is
	still true, even though gpc->khva
	is already NULL. ]
	shinfo = gpc->khva
	pending_bits = shinfo->evtchn_pending
	CRASH: test_and_set_bit(..., pending_bits)

	The Linux kernel CVE team has assigned CVE-2022-49882 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.17 with commit 982ed0de4753ed6e71dbd40f82a5a066baf133ed and fixed in 6.0.8 with commit bfa9672f8fc9eb118124bab61899d2dd497f95ba
	Issue introduced in 5.17 with commit 982ed0de4753ed6e71dbd40f82a5a066baf133ed and fixed in 6.1 with commit ecbcf030b45666ad11bc98565e71dfbcb7be4393

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49882
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	virt/kvm/pfncache.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/bfa9672f8fc9eb118124bab61899d2dd497f95ba
	https://git.kernel.org/stable/c/ecbcf030b45666ad11bc98565e71dfbcb7be4393