Commit 276c796c authored by Mark Kanda's avatar Mark Kanda Committed by Paolo Bonzini
Browse files

KVM: nVMX: Add a WARN for freeing a loaded VMCS02 



When attempting to free a loaded VMCS02, add a WARN and avoid
freeing it (to avoid use-after-free situations).

Suggested-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: default avatarMark Kanda <mark.kanda@oracle.com>
Reviewed-by: default avatarAmeya More <ameya.more@oracle.com>
Reviewed-by: default avatarKrish Sadhukhan <krish.sadhukhan@oracle.com>
Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
parent 00647b44

arch/x86/kvm/vmx.c

+15 −2
Original line number Diff line number Diff line
@@ -3846,6 +3846,19 @@ static void free_loaded_vmcs(struct loaded_vmcs *loaded_vmcs) 
	WARN_ON(loaded_vmcs->shadow_vmcs != NULL);

}



static void vmx_nested_free_vmcs02(struct vcpu_vmx *vmx)

{

	struct loaded_vmcs *loaded_vmcs = &vmx->nested.vmcs02;



	/*

	 * Just leak the VMCS02 if the WARN triggers. Better than

	 * a use-after-free.

	 */

	if (WARN_ON(vmx->loaded_vmcs == loaded_vmcs))

		return;

	free_loaded_vmcs(loaded_vmcs);

}



static void free_kvm_area(void)

{

	int cpu;
@@ -7203,7 +7216,7 @@ out_cached_vmcs12: 
	free_page((unsigned long)vmx->nested.msr_bitmap);



out_msr_bitmap:

	free_loaded_vmcs(&vmx->nested.vmcs02);

	vmx_nested_free_vmcs02(vmx);



out_vmcs02:

	return -ENOMEM;
@@ -7375,7 +7388,7 @@ static void free_nested(struct vcpu_vmx *vmx) 
		vmx->nested.pi_desc = NULL;

	}



	free_loaded_vmcs(&vmx->nested.vmcs02);

	vmx_nested_free_vmcs02(vmx);

}



/* Emulate the VMXOFF instruction */

CRA Git | Maintained and supported by SUSTech CRA and CCSE