Commit 5ef1d8c
KVM: SVM: Flush pages under kvm->lock to fix UAF in svm_register_enc_region()
Do the cache flush of converted pages in svm_register_enc_region() before
dropping kvm->lock to fix use-after-free issues where region and/or its
array of pages could be freed by a different task, e.g. if userspace has
__unregister_enc_region_locked() already queued up for the region.
Note, the "obvious" alternative of using local variables doesn't fully
resolve the bug, as region->pages is also dynamically allocated. I.e. the
region structure itself would be fine, but region->pages could be freed.
Flushing multiple pages under kvm->lock is unfortunate, but the entire
flow is a rare slow path, and the manual flush is only needed on CPUs that
lack coherency for encrypted memory.
Fixes: 19a23da ("Fix unsynchronized access to sev members through svm_register_enc_region")
Reported-by: Gabe Kirkpatrick <gkirkpatrick@google.com>
Cc: Josh Eads <josheads@google.com>
Cc: Peter Gonda <pgonda@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20240217013430.2079561-1-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>1 parent c48617f commit 5ef1d8c
1 file changed
Lines changed: 9 additions & 7 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1975 | 1975 | | |
1976 | 1976 | | |
1977 | 1977 | | |
1978 | | - | |
1979 | | - | |
1980 | | - | |
1981 | | - | |
1982 | | - | |
1983 | | - | |
1984 | 1978 | | |
1985 | 1979 | | |
1986 | 1980 | | |
1987 | 1981 | | |
1988 | | - | |
| 1982 | + | |
| 1983 | + | |
| 1984 | + | |
1989 | 1985 | | |
1990 | 1986 | | |
1991 | 1987 | | |
| 1988 | + | |
| 1989 | + | |
| 1990 | + | |
| 1991 | + | |
| 1992 | + | |
| 1993 | + | |
1992 | 1994 | | |
1993 | 1995 | | |
1994 | 1996 | | |
| |||
0 commit comments