CVE-2024-41070

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()<br /> <br /> Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().<br /> <br /> It looks up `stt` from tablefd, but then continues to use it after doing<br /> fdput() on the returned fd. After the fdput() the tablefd is free to be<br /> closed by another thread. The close calls kvm_spapr_tce_release() and<br /> then release_spapr_tce_table() (via call_rcu()) which frees `stt`.<br /> <br /> Although there are calls to rcu_read_lock() in<br /> kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent<br /> the UAF, because `stt` is used outside the locked regions.<br /> <br /> With an artifcial delay after the fdput() and a userspace program which<br /> triggers the race, KASAN detects the UAF:<br /> <br /> BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]<br /> Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505<br /> CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1<br /> Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV<br /> Call Trace:<br /> dump_stack_lvl+0xb4/0x108 (unreliable)<br /> print_report+0x2b4/0x6ec<br /> kasan_report+0x118/0x2b0<br /> __asan_load4+0xb8/0xd0<br /> kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]<br /> kvm_vfio_set_attr+0x524/0xac0 [kvm]<br /> kvm_device_ioctl+0x144/0x240 [kvm]<br /> sys_ioctl+0x62c/0x1810<br /> system_call_exception+0x190/0x440<br /> system_call_vectored_common+0x15c/0x2ec<br /> ...<br /> Freed by task 0:<br /> ...<br /> kfree+0xec/0x3e0<br /> release_spapr_tce_table+0xd4/0x11c [kvm]<br /> rcu_core+0x568/0x16a0<br /> handle_softirqs+0x23c/0x920<br /> do_softirq_own_stack+0x6c/0x90<br /> do_softirq_own_stack+0x58/0x90<br /> __irq_exit_rcu+0x218/0x2d0<br /> irq_exit+0x30/0x80<br /> arch_local_irq_restore+0x128/0x230<br /> arch_local_irq_enable+0x1c/0x30<br /> cpuidle_enter_state+0x134/0x5cc<br /> cpuidle_enter+0x6c/0xb0<br /> call_cpuidle+0x7c/0x100<br /> do_idle+0x394/0x410<br /> cpu_startup_entry+0x60/0x70<br /> start_secondary+0x3fc/0x410<br /> start_secondary_prolog+0x10/0x14<br /> <br /> Fix it by delaying the fdput() until `stt` is no longer in use, which<br /> is effectively the entire function. To keep the patch minimal add a call<br /> to fdput() at each of the existing return paths. Future work can convert<br /> the function to goto or __cleanup style cleanup.<br /> <br /> With the fix in place the test case no longer triggers the UAF.