From patchwork Thu Sep 26 15:13:09 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Massimiliano Pellizzer
 <massimiliano.pellizzer@canonical.com>
X-Patchwork-Id: 1989862
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4XDxvf6B37z1xt6
	for <incoming@patchwork.ozlabs.org>; Fri, 27 Sep 2024 01:14:06 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1stqBq-0000K3-Cu; Thu, 26 Sep 2024 15:13:58 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <massimiliano.pellizzer@canonical.com>)
 id 1stqBp-000099-5C
 for kernel-team@lists.ubuntu.com; Thu, 26 Sep 2024 15:13:57 +0000
Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com
 [209.85.208.70])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 18B3C3F2E4
 for <kernel-team@lists.ubuntu.com>; Thu, 26 Sep 2024 15:13:44 +0000 (UTC)
Received: by mail-ed1-f70.google.com with SMTP id
 4fb4d7f45d1cf-5c24b4a57b4so663613a12.2
 for <kernel-team@lists.ubuntu.com>; Thu, 26 Sep 2024 08:13:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1727363619; x=1727968419;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=3z4UdA/iiVIJhO8rv8e067h5E/ndtX4X3Ccdf9kdSu0=;
 b=sl91IZJpWOCsupe2xsk4WdhzSE+TN/btE16qpIEWxbJHlEpivn9dgc1Zx672oplNtv
 +RA/P0ye325mpnBDnRP/fwqALFw4eYKPe3nOMTIOgKXddquX31C9lPeMcwFlsTXOO0ZF
 W/SDbZwV99tahW/MZ0+49qLZsOedq/447jPCANslncxttTXIhUMQnS7tXZ+VhjGW30sL
 S8s9XY1UBc6Wl+Z2Tv0OkeScDklwswZ2FT6IFvWUVl5OmNtT8IZW7mXz1gKQcSDpCAxz
 VpobKjZKTaM0KqT024axXzLOdsEg20JtyZ7KpkU1V8B6uTd/OexJ5SGG6YNoIKDJEcxZ
 YhWA==
X-Gm-Message-State: AOJu0YxfYJFAe6Aqfji93anW/5VSthZUc6QCbJ0drhS12w4SBmvcr8d5
 bqUOg2eFGUOjm+5y43Br0STyXanxPXqEP0kmXlczuw4rmJiFXlWh8cN9CFTm4+VM0XZLfzmWJ59
 k+VwHSqLPyTNll/+UTQtNpwxd0RHcmHX1ypKYoQrOAxgjNjrPXCR0zilUyXSRZXQuekZLaw/B2P
 ThomaTiefcQg==
X-Received: by 2002:a05:6402:1e8f:b0:5c7:1f13:9352 with SMTP id
 4fb4d7f45d1cf-5c8826035f5mr26070a12.34.1727363619371;
 Thu, 26 Sep 2024 08:13:39 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IE82a6Q/2JQRX9uS7FgndPGuKzPP5eQc2xsiOfaYfYTNgC3iUT8U6AzbNU9tjpDNwJvgD2xfQ==
X-Received: by 2002:a05:6402:1e8f:b0:5c7:1f13:9352 with SMTP id
 4fb4d7f45d1cf-5c8826035f5mr26047a12.34.1727363618932;
 Thu, 26 Sep 2024 08:13:38 -0700 (PDT)
Received: from framework-canonical.station
 (net-93-71-67-9.cust.vodafonedsl.it. [93.71.67.9])
 by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-5c88245e9e2sm34168a12.46.2024.09.26.08.13.37
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 26 Sep 2024 08:13:37 -0700 (PDT)
From: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][F][PATCH 1/1] KVM: arm64: vgic-v2: Check for non-NULL vCPU in
 vgic_v2_parse_attr()
Date: Thu, 26 Sep 2024 17:13:09 +0200
Message-ID: <20240926151331.54544-2-massimiliano.pellizzer@canonical.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20240926151331.54544-1-massimiliano.pellizzer@canonical.com>
References: <20240926151331.54544-1-massimiliano.pellizzer@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Oliver Upton <oliver.upton@linux.dev>

[ Upstream commit 6ddb4f372fc63210034b903d96ebbeb3c7195adb ]

vgic_v2_parse_attr() is responsible for finding the vCPU that matches
the user-provided CPUID, which (of course) may not be valid. If the ID
is invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled
gracefully.

Similar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id()
actually returns something and fail the ioctl if not.

Cc: stable@vger.kernel.org
Fixes: 7d450e282171 ("KVM: arm/arm64: vgic-new: Add userland access to VGIC dist registers")
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Reviewed-by: Alexander Potapenko <glider@google.com>
Reviewed-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20240424173959.3776798-2-oliver.upton@linux.dev
Signed-off-by: Oliver Upton <oliver.upton@linux.dev>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(backported from commit 4404465a1bee3607ad90a4c5f9e16dfd75b85728 linux-5.10.y)
[mpellizzer: backported applying the patch to virt/kvm/arm/vgic/vgic-kvm-device.c
and solving the merge conflicts due to different context]
CVE-2024-36953
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
---
 virt/kvm/arm/vgic/vgic-kvm-device.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/virt/kvm/arm/vgic/vgic-kvm-device.c b/virt/kvm/arm/vgic/vgic-kvm-device.c
index 5eaede3e3b5a..9497e8368b90 100644
--- a/virt/kvm/arm/vgic/vgic-kvm-device.c
+++ b/virt/kvm/arm/vgic/vgic-kvm-device.c
@@ -289,8 +289,10 @@ int vgic_v2_parse_attr(struct kvm_device *dev, struct kvm_device_attr *attr,
 	if (cpuid >= atomic_read(&dev->kvm->online_vcpus))
 		return -EINVAL;
 
-	reg_attr->vcpu = kvm_get_vcpu(dev->kvm, cpuid);
 	reg_attr->addr = attr->attr & KVM_DEV_ARM_VGIC_OFFSET_MASK;
+	reg_attr->vcpu = kvm_get_vcpu(dev->kvm, cpuid);
+	if (!reg_attr->vcpu)
+		return -EINVAL;
 
 	return 0;
 }