diff options
| author | Jason Gunthorpe <[email protected]> | 2022-05-16 20:41:17 -0300 |
|---|---|---|
| committer | Alex Williamson <[email protected]> | 2022-05-17 13:07:09 -0600 |
| commit | be8d3adae65cd44b6c299b796a5e1a0c24c54454 (patch) | |
| tree | 3c1115902cc3e83ffb42c4303add5c80d3058d95 /include/linux/fpga/fpga-mgr.h | |
| parent | 6b17ca8e5e7a7b10689867dff5e22d7da368ba76 (diff) | |
vfio: Add missing locking for struct vfio_group::kvm
Without locking userspace can trigger a UAF by racing
KVM_DEV_VFIO_GROUP_DEL with VFIO_GROUP_GET_DEVICE_FD:
CPU1 CPU2
ioctl(KVM_DEV_VFIO_GROUP_DEL)
ioctl(VFIO_GROUP_GET_DEVICE_FD)
vfio_group_get_device_fd
open_device()
intel_vgpu_open_device()
vfio_register_notifier()
vfio_register_group_notifier()
blocking_notifier_call_chain(&group->notifier,
VFIO_GROUP_NOTIFY_SET_KVM, group->kvm);
set_kvm()
group->kvm = NULL
close()
kfree(kvm)
intel_vgpu_group_notifier()
vdev->kvm = data
[..]
kvm_get_kvm(vgpu->kvm);
// UAF!
Add a simple rwsem in the group to protect the kvm while the notifier is
using it.
Note this doesn't fix the race internal to i915 where userspace can
trigger two VFIO_GROUP_NOTIFY_SET_KVM's before we reach a consumer of
vgpu->kvm and trigger this same UAF, it just makes the notifier
self-consistent.
Fixes: ccd46dbae77d ("vfio: support notifier chain in vfio_group")
Reviewed-by: Kevin Tian <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
Tested-by: Nicolin Chen <[email protected]>
Tested-by: Matthew Rosato <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Alex Williamson <[email protected]>
Diffstat (limited to 'include/linux/fpga/fpga-mgr.h')
0 files changed, 0 insertions, 0 deletions