diff options
| author | Michael S. Tsirkin <mst@redhat.com> | 2014-08-19 07:14:50 -0400 |
|---|---|---|
| committer | Paolo Bonzini <pbonzini@redhat.com> | 2014-08-19 09:04:45 -0400 |
| commit | 350b8bdd689cd2ab2c67c8a86a0be86cfa0751a7 (patch) | |
| tree | 00f9822472c91756bf1d4c6577972e1d7d582823 /virt | |
| parent | 7d1311b93e58ed55f3a31cc8f94c4b8fe988a2b9 (diff) | |
kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)
The third parameter of kvm_iommu_put_pages is wrong,
It should be 'gfn - slot->base_gfn'.
By making gfn very large, malicious guest or userspace can cause kvm to
go to this error path, and subsequently to pass a huge value as size.
Alternatively if gfn is small, then pages would be pinned but never
unpinned, causing host memory leak and local DOS.
Passing a reasonable but large value could be the most dangerous case,
because it would unpin a page that should have stayed pinned, and thus
allow the device to DMA into arbitrary memory. However, this cannot
happen because of the condition that can trigger the error:
- out of memory (where you can't allocate even a single page)
should not be possible for the attacker to trigger
- when exceeding the iommu's address space, guest pages after gfn
will also exceed the iommu's address space, and inside
kvm_iommu_put_pages() the iommu_iova_to_phys() will fail. The
page thus would not be unpinned at all.
Reported-by: Jack Morgenstein <jackm@mellanox.com>
Cc: stable@vger.kernel.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Diffstat (limited to 'virt')
| -rw-r--r-- | virt/kvm/iommu.c | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/virt/kvm/iommu.c b/virt/kvm/iommu.c index 0df7d4b34dfe..714b94932312 100644 --- a/virt/kvm/iommu.c +++ b/virt/kvm/iommu.c | |||
| @@ -61,6 +61,14 @@ static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn, | |||
| 61 | return pfn; | 61 | return pfn; |
| 62 | } | 62 | } |
| 63 | 63 | ||
| 64 | static void kvm_unpin_pages(struct kvm *kvm, pfn_t pfn, unsigned long npages) | ||
| 65 | { | ||
| 66 | unsigned long i; | ||
| 67 | |||
| 68 | for (i = 0; i < npages; ++i) | ||
| 69 | kvm_release_pfn_clean(pfn + i); | ||
| 70 | } | ||
| 71 | |||
| 64 | int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) | 72 | int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) |
| 65 | { | 73 | { |
| 66 | gfn_t gfn, end_gfn; | 74 | gfn_t gfn, end_gfn; |
| @@ -123,6 +131,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) | |||
| 123 | if (r) { | 131 | if (r) { |
| 124 | printk(KERN_ERR "kvm_iommu_map_address:" | 132 | printk(KERN_ERR "kvm_iommu_map_address:" |
| 125 | "iommu failed to map pfn=%llx\n", pfn); | 133 | "iommu failed to map pfn=%llx\n", pfn); |
| 134 | kvm_unpin_pages(kvm, pfn, page_size); | ||
| 126 | goto unmap_pages; | 135 | goto unmap_pages; |
| 127 | } | 136 | } |
| 128 | 137 | ||
| @@ -134,7 +143,7 @@ int kvm_iommu_map_pages(struct kvm *kvm, struct kvm_memory_slot *slot) | |||
| 134 | return 0; | 143 | return 0; |
| 135 | 144 | ||
| 136 | unmap_pages: | 145 | unmap_pages: |
| 137 | kvm_iommu_put_pages(kvm, slot->base_gfn, gfn); | 146 | kvm_iommu_put_pages(kvm, slot->base_gfn, gfn - slot->base_gfn); |
| 138 | return r; | 147 | return r; |
| 139 | } | 148 | } |
| 140 | 149 | ||
| @@ -266,14 +275,6 @@ out_unlock: | |||
| 266 | return r; | 275 | return r; |
| 267 | } | 276 | } |
| 268 | 277 | ||
| 269 | static void kvm_unpin_pages(struct kvm *kvm, pfn_t pfn, unsigned long npages) | ||
| 270 | { | ||
| 271 | unsigned long i; | ||
| 272 | |||
| 273 | for (i = 0; i < npages; ++i) | ||
| 274 | kvm_release_pfn_clean(pfn + i); | ||
| 275 | } | ||
| 276 | |||
| 277 | static void kvm_iommu_put_pages(struct kvm *kvm, | 278 | static void kvm_iommu_put_pages(struct kvm *kvm, |
| 278 | gfn_t base_gfn, unsigned long npages) | 279 | gfn_t base_gfn, unsigned long npages) |
| 279 | { | 280 | { |