In the Linux kernel, the following vulnerability has been resolved:
KVM: PPC: Book3S HV: Prevent UAF in kvmspaprtceattachiommu_group()
Al reported a possible use-after-free (UAF) in kvmspaprtceattachiommu_group().
It looks up stt
from tablefd, but then continues to use it after doing
fdput() on the returned fd. After the fdput() the tablefd is free to be
closed by another thread. The close calls kvmspaprtcerelease() and
then releasespaprtcetable() (via call_rcu()) which frees stt
.
Although there are calls to rcureadlock() in
kvmspaprtceattachiommu_group() they are not sufficient to prevent
the UAF, because stt
is used outside the locked regions.
With an artifcial delay after the fdput() and a userspace program which triggers the race, KASAN detects the UAF:
BUG: KASAN: slab-use-after-free in kvmspaprtceattachiommugroup+0x298/0x720 [kvm] Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505 CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1 Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV Call Trace: dumpstacklvl+0xb4/0x108 (unreliable) printreport+0x2b4/0x6ec kasanreport+0x118/0x2b0 _asanload4+0xb8/0xd0 kvmspaprtceattachiommugroup+0x298/0x720 [kvm] kvmvfiosetattr+0x524/0xac0 [kvm] kvmdeviceioctl+0x144/0x240 [kvm] sysioctl+0x62c/0x1810 systemcallexception+0x190/0x440 systemcallvectoredcommon+0x15c/0x2ec ... Freed by task 0: ... kfree+0xec/0x3e0 releasespaprtcetable+0xd4/0x11c [kvm] rcucore+0x568/0x16a0 handlesoftirqs+0x23c/0x920 dosoftirqownstack+0x6c/0x90 dosoftirqownstack+0x58/0x90 _irqexitrcu+0x218/0x2d0 irqexit+0x30/0x80 archlocalirqrestore+0x128/0x230 archlocalirqenable+0x1c/0x30 cpuidleenterstate+0x134/0x5cc cpuidleenter+0x6c/0xb0 callcpuidle+0x7c/0x100 doidle+0x394/0x410 cpustartupentry+0x60/0x70 startsecondary+0x3fc/0x410 startsecondaryprolog+0x10/0x14
Fix it by delaying the fdput() until stt
is no longer in use, which
is effectively the entire function. To keep the patch minimal add a call
to fdput() at each of the existing return paths. Future work can convert
the function to goto or __cleanup style cleanup.
With the fix in place the test case no longer triggers the UAF.