mbox series

[v3,0/3] KVM: Fix use-after-free in debugfs

Message ID 20220406235615.1447180-1-oupton@google.com (mailing list archive)
Headers show
Series KVM: Fix use-after-free in debugfs | expand

Message

Oliver Upton April 6, 2022, 11:56 p.m. UTC 
Funny enough, dirty_log_perf_test on arm64 highlights some issues around
the use of debugfs in KVM. The test leaks a GIC FD across test
iterations, and as such the associated VM is never destroyed.
Nonetheless, the VM FD is reused for the next VM, which collides with
the old debugfs directory.

Where things get off is when the vgic-state debugfs file is created. KVM
does not check if the VM directory exists before creating the file,
which results in the file being added to the root of debugfs when the
aforementioned collision occurs.

Since KVM relies on deleting the VM directory to clean up all associated
files, the errant vgic-state file never gets cleaned up. Poking the file
after the VM is destroyed is a use-after-free :)

Patch 1 shuts the door on any mistaken debugfs file creations by
initializing kvm->debugfs_dentry with ERR_PTR() instead of NULL.

The last two patches ensure the GIC FD actually gets closed by the
selftests that use it. Patch 2 is a genuine bug fix since it will create
multiple VMs for a single test run. The arch_timer test also happens to
leak the GIC FD, though it is benign since the test creates a single VM.
Patch 3 gets the arch_timer test to follow the well-behaved pattern.

Applies cleanly to 5.18-rc1.

Tested on an Ampere Altra system in the following combinations:

  - Bad kernel + fixed selftests
  - Fixed kernel + bad selftests

In both cases there was no vgic-state file at the root of
debugfs. Additionally, I made sure the VM debugfs directory was in fact
cleaned up at exit.

v1: https://lore.kernel.org/kvm/20220402174044.2263418-1-oupton@google.com/
v2: https://lore.kernel.org/kvm/20220404182119.3561025-1-oupton@google.com/

v2 -> v3:
 - Fix error checking in kvm_destroy_vm_debugfs(). Embarrassingly, v2
   worsened the bug by not cleaning up the VM directory... (Marc)

v1 -> v2:
 - Initialize kvm->debugfs_dentry to ERR_PTR(-ENOENT) to
   prevent the creation of all VM debug files, not just vgic-state.
 - Leave logging as-is for now. Consider dropping altogether in a
   later patch (Sean)
 - Collect R-b from Jing

Oliver Upton (3):
  KVM: Don't create VM debugfs files outside of the VM directory
  selftests: KVM: Don't leak GIC FD across dirty log test iterations
  selftests: KVM: Free the GIC FD when cleaning up in arch_timer

 .../selftests/kvm/aarch64/arch_timer.c        | 15 +++++---
 .../selftests/kvm/dirty_log_perf_test.c       | 34 +++++++++++++++++--
 virt/kvm/kvm_main.c                           | 10 ++++--
 3 files changed, 50 insertions(+), 9 deletions(-)

Comments

Marc Zyngier April 7, 2022, 9:47 a.m. UTC | #1 
On Wed, 6 Apr 2022 23:56:12 +0000, Oliver Upton wrote:
> Funny enough, dirty_log_perf_test on arm64 highlights some issues around
> the use of debugfs in KVM. The test leaks a GIC FD across test
> iterations, and as such the associated VM is never destroyed.
> Nonetheless, the VM FD is reused for the next VM, which collides with
> the old debugfs directory.
> 
> Where things get off is when the vgic-state debugfs file is created. KVM
> does not check if the VM directory exists before creating the file,
> which results in the file being added to the root of debugfs when the
> aforementioned collision occurs.
> 
> [...]

Applied to fixes, thanks!

[1/3] KVM: Don't create VM debugfs files outside of the VM directory
      commit: a44a4cc1c969afec97dbb2aedaf6f38eaa6253bb
[2/3] selftests: KVM: Don't leak GIC FD across dirty log test iterations
      commit: 386ba265a8197716076a88853244f4437b92b167
[3/3] selftests: KVM: Free the GIC FD when cleaning up in arch_timer
      commit: 21db83846683d3987666505a3ec38f367708199a

Cheers,

	M.