KVM: x86: Convert MSR_KVM_SYSTEM_TIME to use gfn_to_hva_cache functions (CVE-2013-1797)

There is a potential use after free issue with the handling of
MSR_KVM_SYSTEM_TIME.  If the guest specifies a GPA in a movable or removable
memory such as frame buffers then KVM might continue to write to that
address even after it's removed via KVM_SET_USER_MEMORY_REGION.  KVM pins
the page in memory so it's unlikely to cause an issue, but if the user
space component re-purposes the memory previously used for the guest, then
the guest will be able to corrupt that memory.

Tested: Tested against kvmclock unit test

Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

2 files changed, 22 insertions, 29 deletions

diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 635a74d22409..4979778cc7fb 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -414,8 +414,8 @@ struct kvm_vcpu_arch {
         gpa_t time;
         struct pvclock_vcpu_time_info hv_clock;
         unsigned int hw_tsc_khz;
-        unsigned int time_offset;
-        struct page *time_page;
+        struct gfn_to_hva_cache pv_time;
+        bool pv_time_enabled;
         /* set guest stopped flag in pvclock flags field */
         bool pvclock_set_guest_stopped_request;
 
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 2ade60c25402..f19ac0aca60d 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1406,10 +1406,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
         unsigned long flags, this_tsc_khz;
         struct kvm_vcpu_arch *vcpu = &v->arch;
         struct kvm_arch *ka = &v->kvm->arch;
-        void *shared_kaddr;
         s64 kernel_ns, max_kernel_ns;
         u64 tsc_timestamp, host_tsc;
-        struct pvclock_vcpu_time_info *guest_hv_clock;
+        struct pvclock_vcpu_time_info guest_hv_clock;
         u8 pvclock_flags;
         bool use_master_clock;
 
@@ -1463,7 +1462,7 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
 
         local_irq_restore(flags);
 
-        if (!vcpu->time_page)
+        if (!vcpu->pv_time_enabled)
                 return 0;
 
         /*
@@ -1525,12 +1524,12 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
          */
         vcpu->hv_clock.version += 2;
 
-        shared_kaddr = kmap_atomic(vcpu->time_page);
-
-        guest_hv_clock = shared_kaddr + vcpu->time_offset;
+        if (unlikely(kvm_read_guest_cached(v->kvm, &vcpu->pv_time,
+                &guest_hv_clock, sizeof(guest_hv_clock))))
+                return 0;
 
         /* retain PVCLOCK_GUEST_STOPPED if set in guest copy */
-        pvclock_flags = (guest_hv_clock->flags & PVCLOCK_GUEST_STOPPED);
+        pvclock_flags = (guest_hv_clock.flags & PVCLOCK_GUEST_STOPPED);
 
         if (vcpu->pvclock_set_guest_stopped_request) {
                 pvclock_flags |= PVCLOCK_GUEST_STOPPED;
@@ -1543,12 +1542,9 @@ static int kvm_guest_time_update(struct kvm_vcpu *v)
 
         vcpu->hv_clock.flags = pvclock_flags;
 
-        memcpy(shared_kaddr + vcpu->time_offset, &vcpu->hv_clock,
-               sizeof(vcpu->hv_clock));
-
-        kunmap_atomic(shared_kaddr);
-
-        mark_page_dirty(v->kvm, vcpu->time >> PAGE_SHIFT);
+        kvm_write_guest_cached(v->kvm, &vcpu->pv_time,
+                                &vcpu->hv_clock,
+                                sizeof(vcpu->hv_clock));
         return 0;
 }
 
@@ -1837,10 +1833,7 @@ static int kvm_pv_enable_async_pf(struct kvm_vcpu *vcpu, u64 data)
 
 static void kvmclock_reset(struct kvm_vcpu *vcpu)
 {
-        if (vcpu->arch.time_page) {
-                kvm_release_page_dirty(vcpu->arch.time_page);
-                vcpu->arch.time_page = NULL;
-        }
+        vcpu->arch.pv_time_enabled = false;
 }
 
 static void accumulate_steal_time(struct kvm_vcpu *vcpu)
@@ -1947,6 +1940,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
                 break;
         case MSR_KVM_SYSTEM_TIME_NEW:
         case MSR_KVM_SYSTEM_TIME: {
+                u64 gpa_offset;
                 kvmclock_reset(vcpu);
 
                 vcpu->arch.time = data;
@@ -1956,19 +1950,17 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
                 if (!(data & 1))
                         break;
 
-                /* ...but clean it before doing the actual write */
-                vcpu->arch.time_offset = data & ~(PAGE_MASK | 1);
+                gpa_offset = data & ~(PAGE_MASK | 1);
 
                 /* Check that the address is 32-byte aligned. */
-                if (vcpu->arch.time_offset &
-                                (sizeof(struct pvclock_vcpu_time_info) - 1))
+                if (gpa_offset & (sizeof(struct pvclock_vcpu_time_info) - 1))
                         break;
 
-                vcpu->arch.time_page =
-                                gfn_to_page(vcpu->kvm, data >> PAGE_SHIFT);
-
-                if (is_error_page(vcpu->arch.time_page))
-                        vcpu->arch.time_page = NULL;
+                if (kvm_gfn_to_hva_cache_init(vcpu->kvm,
+                     &vcpu->arch.pv_time, data & ~1ULL))
+                        vcpu->arch.pv_time_enabled = false;
+                else
+                        vcpu->arch.pv_time_enabled = true;
 
                 break;
         }
@@ -2972,7 +2964,7 @@ static int kvm_vcpu_ioctl_x86_set_xcrs(struct kvm_vcpu *vcpu,
  */
 static int kvm_set_guest_paused(struct kvm_vcpu *vcpu)
 {
-        if (!vcpu->arch.time_page)
+        if (!vcpu->arch.pv_time_enabled)
                 return -EINVAL;
         vcpu->arch.pvclock_set_guest_stopped_request = true;
         kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu);
@@ -6723,6 +6715,7 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
                 goto fail_free_wbinvd_dirty_mask;
 
         vcpu->arch.ia32_tsc_adjust_msr = 0x0;
+        vcpu->arch.pv_time_enabled = false;
         kvm_async_pf_hash_reset(vcpu);
         kvm_pmu_init(vcpu);