From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A8BCC00528 for ; Tue, 11 Jul 2023 16:26:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 770FB6B0072; Tue, 11 Jul 2023 12:26:43 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 721166B0074; Tue, 11 Jul 2023 12:26:43 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6100E6B0075; Tue, 11 Jul 2023 12:26:43 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 506796B0072 for ; Tue, 11 Jul 2023 12:26:43 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 0E33B120245 for ; Tue, 11 Jul 2023 16:26:43 +0000 (UTC) X-FDA: 80999859486.01.093CFBB Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) by imf15.hostedemail.com (Postfix) with ESMTP id 0A10EA001D for ; Tue, 11 Jul 2023 16:26:40 +0000 (UTC) Authentication-Results: imf15.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=nYXGo198; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf15.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.176 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1689092801; a=rsa-sha256; cv=none; b=qHWjNG9T+uZYJb/ot/pP0/dkpXx9YSDcHnYPay2hRFlk89zNEDrjxNxBSXwh83KFgEL00X 0Gy8bEBH4D9VjhUZlhnaSxWAR55xe8ePUMtCVkliJIl8HBU59bEit24rCA+2irZvsRykqW pEED950VyKs0vzkA41OepNhGyy1C3U0= ARC-Authentication-Results: i=1; imf15.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=nYXGo198; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf15.hostedemail.com: domain of keescook@chromium.org designates 209.85.210.176 as permitted sender) smtp.mailfrom=keescook@chromium.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1689092801; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=FnogQ7HLpRF5+op/EYR0WRYtuefnaYhu4nhQsCtg9DI=; b=JXCwNQbGXK/4l4spEEVy7MPYeu7I6g1GxI2PTYnVqrk3flIY/MIFkNZUBw9GxNhm5P9EKI w6LXLMvsWxWgcywvwTc8654OMfifW6/ZoU7d4ta0O/FGuYQtRiLxbGOFLR1nxVtNffOmiy aw/kA79VBwr/X8xkYkBxM2gGGMU6Aio= Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-666fb8b1bc8so5311206b3a.1 for ; Tue, 11 Jul 2023 09:26:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1689092800; x=1691684800; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=FnogQ7HLpRF5+op/EYR0WRYtuefnaYhu4nhQsCtg9DI=; b=nYXGo198BbM03RIP7UU0985bq/mKFrMAZ8QCvoEU4vxnvQjVmDh6w8bxrebH1kiVMq PQcNyVMFfAV1nbaAlu8bOMRieTT7CGsuiLLQeHGEWH64OnH1dNkXSKZy2yAPeY5wfUYx lhkX6B3dh8M7Ad8XpfWKjutJ7uQK7QnTyvDzA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689092800; x=1691684800; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=FnogQ7HLpRF5+op/EYR0WRYtuefnaYhu4nhQsCtg9DI=; b=lFsq7CBLz3pT2zO/kNNhTWtURg76fL0rocQUutihUR6AjM5riebb2r45iLhlEQDWTO NSb8WFHTt6/5Ye82xkUhAY/TvXv1eg/Nqm383z7j0Y9Xa3C88c6uG8fExtQDyYgl5DRN zzoobYxiTi2m14g9fcYjC+3bBUPkA46WqQDEWNL6/hvyXtxNdNVYPlkNkvVmPnc4iAZV Qb7GkSf5WBEWzH1+Ve4oSE2qKtGorxkNkmZIa+X0+FoZsmAnp1qtYfEQGNhxXstc8RbS Sbxi1VF6raEq6jzWGE3mLMZyZ4YmBiLeO8GXwisFS4QO9cfqFjvHG6ZszV1/w+W/v9yQ 2iBQ== X-Gm-Message-State: ABy/qLav1rTuPv9vKwuxDPyVnt4ECdcohr/7Jf7xZjnPIYh3DT4YlqEX at/SvZJs8R5nqifDjnQmQ4/Xyw== X-Google-Smtp-Source: APBJJlHPT8zxb8dffvFxjIXVZsxroWt6k1sP9UuWClw8e3VLZG1MIqrloCoxrh09rhTflME/mNoIww== X-Received: by 2002:a05:6a20:60b:b0:122:92d0:452a with SMTP id 11-20020a056a20060b00b0012292d0452amr16544394pzl.37.1689092799583; Tue, 11 Jul 2023 09:26:39 -0700 (PDT) Received: from www.outflux.net (198-0-35-241-static.hfc.comcastbusiness.net. [198.0.35.241]) by smtp.gmail.com with ESMTPSA id d20-20020aa78154000000b0066f37665a6asm1916962pfn.117.2023.07.11.09.26.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jul 2023 09:26:39 -0700 (PDT) Date: Tue, 11 Jul 2023 09:26:38 -0700 From: Kees Cook To: Sean Christopherson Cc: Andrew Morton , Zheng Zhang , linux-hardening@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, kvm@vger.kernel.org, Matthew Wilcox Subject: Re: [BUG]: bad usercopy in kvm_stats_read in mm/usercopy.c Message-ID: <202307110925.CBAF286C0A@keescook> References: <20230710133427.fb599ef486c7b764d9ca2cc3@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 0A10EA001D X-Stat-Signature: sgxuw4oauquf4ibisxm5ya4b49cshxrn X-HE-Tag: 1689092800-236975 X-HE-Meta: U2FsdGVkX1834yyrX9DVNdJOMN9t4khawKtazwqpIYoo/yIwR72cvczRiZ+1OKX8FkjImti01xxi5Va4Vf+J8WB8fag8undDiPU7dg/+lATgzU2464a6Db6pBIxaFaMjhZJ5s+5aJENK+4SOKedkmciAlfjr1IpEUOCziGbNJoN/5aAJFNNHZG69lmxPE2t0lEWNa3/5fDN2ffEM5jOW4j+b8JWYKJiIk9orKok8rmoh85uVn4nRjhFi+5aYI7pdsCCLctGL8l07LhRAzUg6DHexZh+/ysjcLpsQ8SvjJQoefnKsJMSks8uw+rXCiPHs59NZR63e3hE9eSmDtqyVHaamvrTUlkpIk8Cz2PhKrVPMeAUKn4l7nN3TJ65HPZt/VHwW8U01/kpLIqyPygKllahgtf3H7TZUDYPN/6p7qWV2eweemDT9640AYHQ2TJi74Zdz1NYXh/PRui2oE1h0vIXtETpO2PnunxkomcIF/zvaoPILOGQa5Zpl3p5Oo6VchOmbqERKumR2BSPPOTcQ3bFSK50DGUuGEwM8As+KMdI5Y9MRHKFmSOhM0dIclVGSv+mtOXhkmtdW1th3iZVS3JGNDcVfdN1uFZ5HqtjkL9piwcCQSJiK1QEJlVOfn7zpTyEYE8zfaWuJHDSt7PCHH+11T469wZJ+44tYmJyTvClwfucNL49EHA8GXR5fnos3HG0CoD/ZHwzn7j7pa9cO1qsX0s43VeWFoOTTINp+Spudpv0kDvfXAgO6lIeRgSEyf5f2wmBXKCi4wUGOtDJDrjGajZ0jEKEe/3wju1y4MGgn1zRczz1L8tIp/t/u1D5avjWryGjH7pOzWvvOP6WA+6tkunDCSLEPNVsQiAEETB+OsKcqC7267Yc9cqfkCAW2GMOqkrbzJ7b3WlmnWH2vVhG7rTIihsq7nFmWWq+n1JgpfwVoLS0g0A4kVMIgGU/Rde5PSOlwBJmMLETCj3v Wb3Bt553 qs5InBF5/9ceft+FfSzRK30g2Mw2+ppenJSQcbGPex5Cj8fT9GE26BG7j0VkEv08YeHfICyUpdOHFVkxN0Wrec4A8qxL3fP7tjoQv3cFwEz8ZxZg65kIKqo44IlFg/IYCFYR59pkGCi6DRbfiBsr04xB6qw6dM9lE0GLo+s+3rK1CSOTmuK+v9C3xhCsPmMvfmkserKwl42cKWsOsDvfhht3mkbPvlUtsOcqZGbZctw5Uyn7Kc+jKxzVyqU++dkqwczP6wwwldre7VVWxtqi8YQwGFRmGVX1CutRKn1E0RaGyLgpCcAyIisUslbYcCOQoi6RYrR3k+4PMaKp/1JwwFOyaNqvrbNa4qurBSaWC8vpSillsihdMxvH2ACjxKwwbR6UjEevfI0v50CPJ6K03LNexMWKCsx41Fs2kW0MwUDQu71tUsmc+EbRiX7pvP6IQ2JsyuhR3nNcJrk6Fn+As3kRaGLyccCZeEufU X-Bogosity: Ham, tests=bogofilter, spamicity=0.000087, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Jul 11, 2023 at 09:15:00AM -0700, Sean Christopherson wrote: > On Mon, Jul 10, 2023, Andrew Morton wrote: > > On Sun, 9 Jul 2023 14:32:09 -0700 Zheng Zhang wrote: > > > > > Kees, Andrew, and to whom it may concern: > > > > > > Hello! We have found a bug in the Linux kernel version 6.2.0 by syzkaller > > > with our own templates. It also produces a POC. > > > Attached is the report, log, and reproducers generated by syzkaller > > > Please let me know if there is any additional information that I can > > > provide to help debug this issue. > > > Thanks! > > > > Let's cc the kvm mailing list. > > > > Original email is at > > https://lkml.kernel.org/r/CAC_GQSr3xzZaeZt85k_RCBd5kfiOve8qXo7a81Cq53LuVQ5r=Q@mail.gmail.com > > Yeaaaah. We failed kernel programming 101. KVM installs file descriptors to > let userspace read VM and vCPU stats, but doesn't grab a reference to the VM to > ensure the VM and its vCPUs are kept alive until the stats fds are closed. I'll > send a patch. Thanks! Another victory for hardened usercopy. :) -- Kees Cook