Commit 350b8bdd authored Aug 19, 2014 by Michael S. Tsirkin Committed by Paolo Bonzini Aug 19, 2014

kvm: iommu: fix the third parameter of kvm_iommu_put_pages (CVE-2014-3601)



The third parameter of kvm_iommu_put_pages is wrong,
It should be 'gfn - slot->base_gfn'.

By making gfn very large, malicious guest or userspace can cause kvm to
go to this error path, and subsequently to pass a huge value as size.
Alternatively if gfn is small, then pages would be pinned but never
unpinned, causing host memory leak and local DOS.

Passing a reasonable but large value could be the most dangerous case,
because it would unpin a page that should have stayed pinned, and thus
allow the device to DMA into arbitrary memory.  However, this cannot
happen because of the condition that can trigger the error:

- out of memory (where you can't allocate even a single page)
  should not be possible for the attacker to trigger

- when exceeding the iommu's address space, guest pages after gfn
  will also exceed the iommu's address space, and inside
  kvm_iommu_put_pages() the iommu_iova_to_phys() will fail.  The
  page thus would not be unpinned at all.

Reported-by: Jack Morgenstein <jackm@mellanox.com>
Cc: stable@vger.kernel.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

parent 7d1311b9

virt/kvm/iommu.c

+10 −9

Original line number	Diff line number	Diff line
		@@ -61,6 +61,14 @@ static pfn_t kvm_pin_pages(struct kvm_memory_slot *slot, gfn_t gfn,
		return pfn;
		}

		static void kvm_unpin_pages(struct kvm *kvm, pfn_t pfn, unsigned long npages)
		{
		unsigned long i;

		for (i = 0; i < npages; ++i)
		kvm_release_pfn_clean(pfn + i);
		}

		int kvm_iommu_map_pages(struct kvm kvm, struct kvm_memory_slot slot)
		{
		gfn_t gfn, end_gfn;
		@@ -123,6 +131,7 @@ int kvm_iommu_map_pages(struct kvm kvm, struct kvm_memory_slot slot)
		if (r) {
		printk(KERN_ERR "kvm_iommu_map_address:"
		"iommu failed to map pfn=%llx\n", pfn);
		kvm_unpin_pages(kvm, pfn, page_size);
		goto unmap_pages;
		}

		@@ -134,7 +143,7 @@ int kvm_iommu_map_pages(struct kvm kvm, struct kvm_memory_slot slot)
		return 0;

		unmap_pages:
		kvm_iommu_put_pages(kvm, slot->base_gfn, gfn);
		kvm_iommu_put_pages(kvm, slot->base_gfn, gfn - slot->base_gfn);
		return r;
		}

		@@ -266,14 +275,6 @@ out_unlock:
		return r;
		}

		static void kvm_unpin_pages(struct kvm *kvm, pfn_t pfn, unsigned long npages)
		{
		unsigned long i;

		for (i = 0; i < npages; ++i)
		kvm_release_pfn_clean(pfn + i);
		}

		static void kvm_iommu_put_pages(struct kvm *kvm,
		gfn_t base_gfn, unsigned long npages)
		{

Admin message