CVE-2022-50471

In the Linux kernel, the following vulnerability has been resolved:

xen/gntdev: Accommodate VMA splitting

Prior to this commit, the gntdev driver code did not handle the following scenario correctly with paravirtualized (PV) Xen domains:

• User process sets up a gntdev mapping composed of two grant mappings (i.e., two pages shared by another Xen domain).
• User process munmap()s one of the pages.
• User process munmap()s the remaining page.
• User process exits.

In the scenario above, the user process would cause the kernel to log the following messages in dmesg for the first munmap(), and the second munmap() call would result in similar log messages:

BUG: Bad page map in process doublemap.test pte:... pmd:... page:0000000057c97bff refcount:1 mapcount:-1 \ mapping:0000000000000000 index:0x0 pfn:... ... page dumped because: bad pte ... file:gntdev fault:0x0 mmap:gntdevmmap [xengntdev] readpage:0x0 ... Call Trace: <TASK> dumpstacklvl+0x46/0x5e printbadpte.cold+0x66/0xb6 unmappagerange+0x7e5/0xdc0 unmapvmas+0x78/0xf0 unmapregion+0xa8/0x110 __do_munmap+0x1ea/0x4e0 __vm_munmap+0x75/0x120 __x64sysmunmap+0x28/0x40 dosyscall64+0x38/0x90 entrySYSCALL64afterhwframe+0x61/0xcb ...

For each munmap() call, the Xen hypervisor (if built with CONFIG_DEBUG) would print out the following and trigger a general protection fault in the affected Xen PV domain:

(XEN) d0v... Attempt to implicitly unmap d0's grant PTE ... (XEN) d0v... Attempt to implicitly unmap d0's grant PTE ...

As of this writing, gntdevgrantmap structure's vma field (referred to as map->vma below) is mainly used for checking the start and end addresses of mappings. However, with split VMAs, these may change, and there could be more than one VMA associated with a gntdev mapping. Hence, remove the use of map->vma and rely on map->pagesvmstart for the original start address and on (map->count << PAGESHIFT) for the original mapping size. Let the invalidate() and findspecial_page() hooks use these.

Also, given that there can be multiple VMAs associated with a gntdev mapping, move the "mmuintervalnotifierremove(&map->notifier)" call to the end of gntdevput_map, so that the MMU notifier is only removed after the closing of the last remaining VMA.

Finally, use an atomic to prevent inadvertent gntdev mapping re-use, instead of using the map->livegrants atomic counter and/or the map->vma pointer (the latter of which is now removed). This prevents the userspace from mmap()'ing (with MAPFIXED) a gntdev mapping over the same address range as a previously set up gntdev mapping. This scenario can be summarized with the following call-trace, which was valid prior to this commit:

mmap gntdevmmap mmap (repeat mmap with MAPFIXED over the same address range) gntdevinvalidate unmapgrantpages (sets 'beingremoved' entries to true) gnttabunmaprefsasync unmapsinglevma gntdevmmap (maps the shared pages again) munmap gntdevinvalidate unmapgrantpages (no-op because 'beingremoved' entries are true) unmapsinglevma (For PV domains, Xen reports that a granted page is being unmapped and triggers a general protection fault in the affected domain, if Xen was built with CONFIG_DEBUG)

The fix for this last scenario could be worth its own commit, but we opted for a single commit, because removing the gntdevgrantmap structure's vma field requires guarding the entry to gntdevmmap(), and the livegrants atomic counter is not sufficient on its own to prevent the mmap() over a pre-existing mapping.