On Mon, Jan 15, 2024, Paul Durrant wrote:
@@ -638,20 +637,32 @@ int kvm_xen_hvm_set_attr(struct kvm *kvm, struct kvm_xen_hvm_attr *data) } break;
- case KVM_XEN_ATTR_TYPE_SHARED_INFO: {
- case KVM_XEN_ATTR_TYPE_SHARED_INFO:
- case KVM_XEN_ATTR_TYPE_SHARED_INFO_HVA: { int idx;
mutex_lock(&kvm->arch.xen.xen_lock); idx = srcu_read_lock(&kvm->srcu);
if (data->u.shared_info.gfn == KVM_XEN_INVALID_GFN) {
kvm_gpc_deactivate(&kvm->arch.xen.shinfo_cache);
r = 0;
if (data->type == KVM_XEN_ATTR_TYPE_SHARED_INFO) {
if (data->u.shared_info.gfn == KVM_XEN_INVALID_GFN) {
kvm_gpc_deactivate(&kvm->arch.xen.shinfo_cache);
r = 0;
} else {
r = kvm_gpc_activate(&kvm->arch.xen.shinfo_cache,
gfn_to_gpa(data->u.shared_info.gfn),
PAGE_SIZE);
} else {}
r = kvm_gpc_activate(&kvm->arch.xen.shinfo_cache,
gfn_to_gpa(data->u.shared_info.gfn),
PAGE_SIZE);
if (data->u.shared_info.hva == 0) {
I know I said I don't care about the KVM Xen ABI, but I still think using '0' as "invalid" is ridiculous.
More importantly, this code needs to check that HVA is a userspace pointer. Because __kvm_set_memory_region() performs the address checks, KVM assumes any hva that it gets out of a memslot, i.e. from a gfn, is a safe userspace address.
kvm_is_error_hva() will catch most addresses, but I'm pretty sure there's still a small window where userspace could use this to write kernel memory.
kvm_gpc_deactivate(&kvm->arch.xen.shinfo_cache);
r = 0;
} else {
r = kvm_gpc_activate_hva(&kvm->arch.xen.shinfo_cache,
data->u.shared_info.hva,
PAGE_SIZE);
}