cve/published/2024/CVE-2024-47717.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-47717: RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data

 With the latest Linux-6.11-rc3, the below NULL pointer crash is observed
 when SBI PMU snapshot is enabled for the guest and the guest is forcefully
 powered-off.

   Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508
   Oops [#1]
   Modules linked in: kvm
   CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3
   Hardware name: riscv-virtio,qemu (DT)
   epc : __kvm_write_guest_page+0x94/0xa6 [kvm]
    ra : __kvm_write_guest_page+0x54/0xa6 [kvm]
   epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0
    gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000
    t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0
    s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086
    a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0
    a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc
    s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000
    s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000
    s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001
    s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3
    t5 : ffffffff814126e0 t6 : ffffffff81412700
   status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d
   [<ffffffff01590e98>] __kvm_write_guest_page+0x94/0xa6 [kvm]
   [<ffffffff015943a6>] kvm_vcpu_write_guest+0x56/0x90 [kvm]
   [<ffffffff015a175c>] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm]
   [<ffffffff015a1972>] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm]
   [<ffffffff015a2ad0>] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm]
   [<ffffffff0159b344>] kvm_arch_vcpu_destroy+0x28/0x4c [kvm]
   [<ffffffff0158e420>] kvm_destroy_vcpus+0x5a/0xda [kvm]
   [<ffffffff0159930c>] kvm_arch_destroy_vm+0x14/0x28 [kvm]
   [<ffffffff01593260>] kvm_destroy_vm+0x168/0x2a0 [kvm]
   [<ffffffff015933d4>] kvm_put_kvm+0x3c/0x58 [kvm]
   [<ffffffff01593412>] kvm_vm_release+0x22/0x2e [kvm]

 Clearly, the kvm_vcpu_write_guest() function is crashing because it is
 being called from kvm_pmu_clear_snapshot_area() upon guest tear down.

 To address the above issue, simplify the kvm_pmu_clear_snapshot_area() to
 not zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because
 the guest is anyway being tore down.

 The kvm_pmu_clear_snapshot_area() is also called when guest changes
 PMU snapshot area of a VCPU but even in this case the previous PMU
 snaphsot area must not be zeroed-out because the guest might have
 reclaimed the pervious PMU snapshot area for some other purpose.

 The Linux kernel CVE team has assigned CVE-2024-47717 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.10 with commit c2f41ddbcdd75689d9f512638a40263e3127be93 and fixed in 6.10.13 with commit 81aa95fd5bd14ff49617f07fa79a8d1f1cf2ce9a
 	Issue introduced in 6.10 with commit c2f41ddbcdd75689d9f512638a40263e3127be93 and fixed in 6.11.2 with commit 6d0a5dcfc78bd18f2abb9641f83380135494559b
 	Issue introduced in 6.10 with commit c2f41ddbcdd75689d9f512638a40263e3127be93 and fixed in 6.12 with commit 47d40d93292d9cff8dabb735bed83d930fa03950

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-47717
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/riscv/kvm/vcpu_pmu.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/81aa95fd5bd14ff49617f07fa79a8d1f1cf2ce9a
 	https://git.kernel.org/stable/c/6d0a5dcfc78bd18f2abb9641f83380135494559b
 	https://git.kernel.org/stable/c/47d40d93292d9cff8dabb735bed83d930fa03950
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-47717: RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	RISC-V: KVM: Don't zero-out PMU snapshot area before freeing data

	With the latest Linux-6.11-rc3, the below NULL pointer crash is observed
	when SBI PMU snapshot is enabled for the guest and the guest is forcefully
	powered-off.

	Unable to handle kernel NULL pointer dereference at virtual address 0000000000000508
	Oops [#1]
	Modules linked in: kvm
	CPU: 0 UID: 0 PID: 61 Comm: term-poll Not tainted 6.11.0-rc3-00018-g44d7178dd77a #3
	Hardware name: riscv-virtio,qemu (DT)
	epc : __kvm_write_guest_page+0x94/0xa6 [kvm]
	ra : __kvm_write_guest_page+0x54/0xa6 [kvm]
	epc : ffffffff01590e98 ra : ffffffff01590e58 sp : ffff8f80001f39b0
	gp : ffffffff81512a60 tp : ffffaf80024872c0 t0 : ffffaf800247e000
	t1 : 00000000000007e0 t2 : 0000000000000000 s0 : ffff8f80001f39f0
	s1 : 00007fff89ac4000 a0 : ffffffff015dd7e8 a1 : 0000000000000086
	a2 : 0000000000000000 a3 : ffffaf8000000000 a4 : ffffaf80024882c0
	a5 : 0000000000000000 a6 : ffffaf800328d780 a7 : 00000000000001cc
	s2 : ffffaf800197bd00 s3 : 00000000000828c4 s4 : ffffaf800248c000
	s5 : ffffaf800247d000 s6 : 0000000000001000 s7 : 0000000000001000
	s8 : 0000000000000000 s9 : 00007fff861fd500 s10: 0000000000000001
	s11: 0000000000800000 t3 : 00000000000004d3 t4 : 00000000000004d3
	t5 : ffffffff814126e0 t6 : ffffffff81412700
	status: 0000000200000120 badaddr: 0000000000000508 cause: 000000000000000d
	[<ffffffff01590e98>] __kvm_write_guest_page+0x94/0xa6 [kvm]
	[<ffffffff015943a6>] kvm_vcpu_write_guest+0x56/0x90 [kvm]
	[<ffffffff015a175c>] kvm_pmu_clear_snapshot_area+0x42/0x7e [kvm]
	[<ffffffff015a1972>] kvm_riscv_vcpu_pmu_deinit.part.0+0xe0/0x14e [kvm]
	[<ffffffff015a2ad0>] kvm_riscv_vcpu_pmu_deinit+0x1a/0x24 [kvm]
	[<ffffffff0159b344>] kvm_arch_vcpu_destroy+0x28/0x4c [kvm]
	[<ffffffff0158e420>] kvm_destroy_vcpus+0x5a/0xda [kvm]
	[<ffffffff0159930c>] kvm_arch_destroy_vm+0x14/0x28 [kvm]
	[<ffffffff01593260>] kvm_destroy_vm+0x168/0x2a0 [kvm]
	[<ffffffff015933d4>] kvm_put_kvm+0x3c/0x58 [kvm]
	[<ffffffff01593412>] kvm_vm_release+0x22/0x2e [kvm]

	Clearly, the kvm_vcpu_write_guest() function is crashing because it is
	being called from kvm_pmu_clear_snapshot_area() upon guest tear down.

	To address the above issue, simplify the kvm_pmu_clear_snapshot_area() to
	not zero-out PMU snapshot area from kvm_pmu_clear_snapshot_area() because
	the guest is anyway being tore down.

	The kvm_pmu_clear_snapshot_area() is also called when guest changes
	PMU snapshot area of a VCPU but even in this case the previous PMU
	snaphsot area must not be zeroed-out because the guest might have
	reclaimed the pervious PMU snapshot area for some other purpose.

	The Linux kernel CVE team has assigned CVE-2024-47717 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.10 with commit c2f41ddbcdd75689d9f512638a40263e3127be93 and fixed in 6.10.13 with commit 81aa95fd5bd14ff49617f07fa79a8d1f1cf2ce9a
	Issue introduced in 6.10 with commit c2f41ddbcdd75689d9f512638a40263e3127be93 and fixed in 6.11.2 with commit 6d0a5dcfc78bd18f2abb9641f83380135494559b
	Issue introduced in 6.10 with commit c2f41ddbcdd75689d9f512638a40263e3127be93 and fixed in 6.12 with commit 47d40d93292d9cff8dabb735bed83d930fa03950

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-47717
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/riscv/kvm/vcpu_pmu.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/81aa95fd5bd14ff49617f07fa79a8d1f1cf2ce9a
	https://git.kernel.org/stable/c/6d0a5dcfc78bd18f2abb9641f83380135494559b
	https://git.kernel.org/stable/c/47d40d93292d9cff8dabb735bed83d930fa03950