In the Linux kernel, the following vulnerability has been resolved:
drivers/virt/acrn: fix PFNMAP PTE checks in acrnvmram_map()
Patch series "mm: followpte() improvements and acrn followpte() fixes".
Patch #1 fixes a bunch of issues I spotted in the acrn driver. It compiles, that's all I know. I'll appreciate some review and testing from acrn folks.
Patch #2+#3 improve followpte(), passing a VMA instead of the MM, adding more sanity checks, and improving the documentation. Gave it a quick test on x86-64 using VMPAT that ends up using follow_pte().
This patch (of 3):
We currently miss handling various cases, resulting in a dangerous followpte() (previously followpfn()) usage.
(1) We're not checking PTE write permissions.
Maybe we should simply always require ptewrite() like we do for pinuserpagesfast(FOLLWRITE)? Hard to tell, so let's check for ACRNMEMACCESSWRITE for now.
(2) We're not rejecting refcounted pages.
As we are not using MMU notifiers, messing with refcounted pages is dangerous and can result in use-after-free. Let's make sure to reject them.
(3) We are only looking at the first PTE of a bigger range.
We only lookup a single PTE, but memmap->len may span a larger area. Let's loop over all involved PTEs and make sure the PFN range is actually contiguous. Reject everything else: it couldn't have worked either way, and rather made use access PFNs we shouldn't be accessing.