From patchwork Fri May 3 18:17:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Matlack X-Patchwork-Id: 13653277 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 7B08FC4345F for ; Fri, 3 May 2024 18:18:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Message-ID: References:Mime-Version:In-Reply-To:Date:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=JuJsEfQKPYUJHWbjwlSjd4jmR2ogJqwUEVadyZtErz4=; b=mDQ5MtDYhcySHXyD8kZz2xJihM coscpQhgoiJix5bnOQ1BvG4FaiNv0+/Tpsqdg7Ot0WwrE1LkMBQO5IRMmbER2C98sSaMpGBmWrQy4 bxhqmGju07VPaJG//BD3NWpitk5yfbbDv6SkghCJnaA0auao+QI09eQhCZBeuFE5xjeEh3dJvNYUA 5o1rtPAF/6AIUm7bDfbFww/zS8h5AFrLRjjiz6WV/Yuqoyv3LagTMK2Q+UUiZNAqSuCiwKfGkGEs6 /XqbJC40QoCVfyFMIRMcPfs2sDsSFJr7jqFZQRK4ys86dlhLn0brSkAb+U95TqMIwLt5KFap98umJ RZW1I3xw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1s2xTj-0000000HWBL-09Sh; Fri, 03 May 2024 18:17:51 +0000 Received: from mail-yb1-xb4a.google.com ([2607:f8b0:4864:20::b4a]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1s2xTb-0000000HW5O-22mO for linux-arm-kernel@lists.infradead.org; Fri, 03 May 2024 18:17:46 +0000 Received: by mail-yb1-xb4a.google.com with SMTP id 3f1490d57ef6-de603db5d6aso9890697276.2 for ; Fri, 03 May 2024 11:17:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1714760262; x=1715365062; darn=lists.infradead.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=QHXu+3wMl1x8qNonydytLIV6nGk0zgXCPmBNIKdSDOU=; b=i0YZkghn5IVvoLhCIYXAr0UvoYoOy9XNuFTSwing3AImXFHHylfdO1DCNCmvk7cBFN eDf0bqokgTwnKgtaXMolMWwcQENgwHbHWTSpTz1BndLu67Sl+a8rSwnQAyld5YO4crXo fSstCcYWBMMCv/f5tVMNcCjBfw9w4Ok3f8aKG5BLiLbudAnLf9HXY2KZh3itCKWGZMl0 LMLiX/7v5j3utb25QZ070bAyj+7PAgK6/cxm+wvMIrsqecGotj9eWR9u9xiNauhYp0L0 C6K3BHwvyKpGMxufHBu00yNucI23mYyrnifDWr+H1g5aPKTr+YGPbjmw8M0ZhXWLI05/ LJAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714760262; x=1715365062; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=QHXu+3wMl1x8qNonydytLIV6nGk0zgXCPmBNIKdSDOU=; b=MoMpDGKU17dgOz/HddUFqiehQYft+dPWuRpYgxP58iabbxPimEVYE9WPm6kaPc0b+k nhpJBh/7p6ha8NeO/GTp5eztNw3DNtTwjpMDhVrUbkyrwulEnQhhxK5L0E2uIFi2pfjc nnOietWFbYkJ1lFi+SpZyvPx2vPAcYoWdmTE+i2DtQKXmlJO3s66tHE6nL+j6CqJ2bkx 5J2ch40xz94pM77QsBFmIS9A3EogL9WOCgXSvyRhKP7U657eh7AxY3u3MOZvBB+BdB7I G9oKNpf3fV5MX10fQkAbiKCuUapr8PwwM3x2h2Dl4ZnkZLHauOPUSJk25QtwxsEOyzUi +m2A== X-Forwarded-Encrypted: i=1; AJvYcCUDvZzjuWEFOOstWnA6CBGdXu1J9daixBAvP7KKQE7B6szmZly7B6vBMQmKkxvRvzWrto7bZJNGh2yPOi6QvlGrYSxWA5lGJ4wKy4Hxj4m95/Abpl4= X-Gm-Message-State: AOJu0YywFY1QAoiyzRA6grwYNpgGSodYaoMfma8agievxtYBfJUOu4KZ UeiPtK39aVhLQZbM6oxwRCSwLfIAHR0oJEmiE73EV5wmWuCrtpE64+vUrYMnIFup4qhnnIe6H0G aI134yu8XZg== X-Google-Smtp-Source: AGHT+IH9qLn6o/uHe9WEM8VyAqFxWSMZ3MFnxC1YcYZ+IPtGArmXDrrlLFlgmBP/HenuKUWhjozjdfJl16Pvww== X-Received: from dmatlack-n2d-128.c.googlers.com ([fda3:e722:ac3:cc00:20:ed76:c0a8:1309]) (user=dmatlack job=sendgmr) by 2002:a25:26cc:0:b0:de4:e042:eee9 with SMTP id m195-20020a2526cc000000b00de4e042eee9mr1003169ybm.6.1714760262024; Fri, 03 May 2024 11:17:42 -0700 (PDT) Date: Fri, 3 May 2024 11:17:33 -0700 In-Reply-To: <20240503181734.1467938-1-dmatlack@google.com> Mime-Version: 1.0 References: <20240503181734.1467938-1-dmatlack@google.com> X-Mailer: git-send-email 2.45.0.rc1.225.g2a3ae87e7f-goog Message-ID: <20240503181734.1467938-3-dmatlack@google.com> Subject: [PATCH v3 2/3] KVM: Ensure new code that references immediate_exit gets extra scrutiny From: David Matlack To: Paolo Bonzini Cc: Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Zenghui Yu , Tianrui Zhao , Bibo Mao , Huacai Chen , Michael Ellerman , Nicholas Piggin , Anup Patel , Atish Patra , Paul Walmsley , Palmer Dabbelt , Albert Ou , Christian Borntraeger , Janosch Frank , Claudio Imbrenda , David Hildenbrand , Sean Christopherson , linux-arm-kernel@lists.infradead.org, kvmarm@lists.linux.dev, kvm@vger.kernel.org, loongarch@lists.linux.dev, linux-mips@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, kvm-riscv@lists.infradead.org, linux-riscv@lists.infradead.org, David Matlack X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240503_111743_629850_92E8A395 X-CRM114-Status: GOOD ( 15.57 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Ensure that any new KVM code that references immediate_exit gets extra scrutiny by renaming it to immediate_exit__unsafe in kernel code. All fields in struct kvm_run are subject to TOCTOU races since they are mapped into userspace, which may be malicious or buggy. To protect KVM, this commit introduces a new macro that appends __unsafe to field names in struct kvm_run, hinting to developers and reviewers that accessing this field must be done carefully. Apply the new macro to immediate_exit, since userspace can make immediate_exit inconsistent with vcpu->wants_to_run, i.e. accessing immediate_exit directly could lead to unexpected bugs in the future. Signed-off-by: David Matlack --- include/uapi/linux/kvm.h | 15 ++++++++++++++- virt/kvm/kvm_main.c | 2 +- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h index 2190adbe3002..3611ad3b9c2a 100644 --- a/include/uapi/linux/kvm.h +++ b/include/uapi/linux/kvm.h @@ -192,11 +192,24 @@ struct kvm_xen_exit { /* Flags that describe what fields in emulation_failure hold valid data. */ #define KVM_INTERNAL_ERROR_EMULATION_FLAG_INSTRUCTION_BYTES (1ULL << 0) +/* + * struct kvm_run can be modified by userspace at any time, so KVM must be + * careful to avoid TOCTOU bugs. In order to protect KVM, HINT_UNSAFE_IN_KVM() + * renames fields in struct kvm_run from to __unsafe when + * compiled into the kernel, ensuring that any use within KVM is obvious and + * gets extra scrutiny. + */ +#ifdef __KERNEL__ +#define HINT_UNSAFE_IN_KVM(_symbol) _symbol##__unsafe +#else +#define HINT_UNSAFE_IN_KVM(_symbol) _symbol +#endif + /* for KVM_RUN, returned by mmap(vcpu_fd, offset=0) */ struct kvm_run { /* in */ __u8 request_interrupt_window; - __u8 immediate_exit; + __u8 HINT_UNSAFE_IN_KVM(immediate_exit); __u8 padding1[6]; /* out */ diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index bdea5b978f80..2b29851a90bd 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -4425,7 +4425,7 @@ static long kvm_vcpu_ioctl(struct file *filp, synchronize_rcu(); put_pid(oldpid); } - vcpu->wants_to_run = !READ_ONCE(vcpu->run->immediate_exit); + vcpu->wants_to_run = !READ_ONCE(vcpu->run->immediate_exit__unsafe); r = kvm_arch_vcpu_ioctl_run(vcpu); vcpu->wants_to_run = false;