| From bippy-1.2.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-41070: KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() |
| |
| Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group(). |
| |
| It looks up `stt` from tablefd, but then continues to use it after doing |
| fdput() on the returned fd. After the fdput() the tablefd is free to be |
| closed by another thread. The close calls kvm_spapr_tce_release() and |
| then release_spapr_tce_table() (via call_rcu()) which frees `stt`. |
| |
| Although there are calls to rcu_read_lock() in |
| kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent |
| the UAF, because `stt` is used outside the locked regions. |
| |
| With an artifcial delay after the fdput() and a userspace program which |
| triggers the race, KASAN detects the UAF: |
| |
| BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] |
| Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505 |
| CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1 |
| Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV |
| Call Trace: |
| dump_stack_lvl+0xb4/0x108 (unreliable) |
| print_report+0x2b4/0x6ec |
| kasan_report+0x118/0x2b0 |
| __asan_load4+0xb8/0xd0 |
| kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] |
| kvm_vfio_set_attr+0x524/0xac0 [kvm] |
| kvm_device_ioctl+0x144/0x240 [kvm] |
| sys_ioctl+0x62c/0x1810 |
| system_call_exception+0x190/0x440 |
| system_call_vectored_common+0x15c/0x2ec |
| ... |
| Freed by task 0: |
| ... |
| kfree+0xec/0x3e0 |
| release_spapr_tce_table+0xd4/0x11c [kvm] |
| rcu_core+0x568/0x16a0 |
| handle_softirqs+0x23c/0x920 |
| do_softirq_own_stack+0x6c/0x90 |
| do_softirq_own_stack+0x58/0x90 |
| __irq_exit_rcu+0x218/0x2d0 |
| irq_exit+0x30/0x80 |
| arch_local_irq_restore+0x128/0x230 |
| arch_local_irq_enable+0x1c/0x30 |
| cpuidle_enter_state+0x134/0x5cc |
| cpuidle_enter+0x6c/0xb0 |
| call_cpuidle+0x7c/0x100 |
| do_idle+0x394/0x410 |
| cpu_startup_entry+0x60/0x70 |
| start_secondary+0x3fc/0x410 |
| start_secondary_prolog+0x10/0x14 |
| |
| Fix it by delaying the fdput() until `stt` is no longer in use, which |
| is effectively the entire function. To keep the patch minimal add a call |
| to fdput() at each of the existing return paths. Future work can convert |
| the function to goto or __cleanup style cleanup. |
| |
| With the fix in place the test case no longer triggers the UAF. |
| |
| The Linux kernel CVE team has assigned CVE-2024-41070 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 4.12 with commit 121f80ba68f1a5779a36d7b3247206e60e0a7418 and fixed in 5.4.281 with commit be847bb20c809de8ac124431b556f244400b0491 |
| Issue introduced in 4.12 with commit 121f80ba68f1a5779a36d7b3247206e60e0a7418 and fixed in 5.10.223 with commit 4cdf6926f443c84f680213c7aafbe6f91a5fcbc0 |
| Issue introduced in 4.12 with commit 121f80ba68f1a5779a36d7b3247206e60e0a7418 and fixed in 5.15.164 with commit b26c8c85463ef27a522d24fcd05651f0bb039e47 |
| Issue introduced in 4.12 with commit 121f80ba68f1a5779a36d7b3247206e60e0a7418 and fixed in 6.1.101 with commit 5f856023971f97fff74cfaf21b48ec320147b50a |
| Issue introduced in 4.12 with commit 121f80ba68f1a5779a36d7b3247206e60e0a7418 and fixed in 6.6.42 with commit 82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf |
| Issue introduced in 4.12 with commit 121f80ba68f1a5779a36d7b3247206e60e0a7418 and fixed in 6.9.11 with commit 9975f93c760a32453d7639cf6fcf3f73b4e71ffe |
| Issue introduced in 4.12 with commit 121f80ba68f1a5779a36d7b3247206e60e0a7418 and fixed in 6.10 with commit a986fa57fd81a1430e00b3c6cf8a325d6f894a63 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-41070 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| arch/powerpc/kvm/book3s_64_vio.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491 |
| https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0 |
| https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47 |
| https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a |
| https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf |
| https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe |
| https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63 |
