CVE-2024-50114

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> KVM: arm64: Unregister redistributor for failed vCPU creation<br /> <br /> Alex reports that syzkaller has managed to trigger a use-after-free when<br /> tearing down a VM:<br /> <br /> BUG: KASAN: slab-use-after-free in kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769<br /> Read of size 8 at addr ffffff801c6890d0 by task syz.3.2219/10758<br /> <br /> CPU: 3 UID: 0 PID: 10758 Comm: syz.3.2219 Not tainted 6.11.0-rc6-dirty #64<br /> Hardware name: linux,dummy-virt (DT)<br /> Call trace:<br /> dump_backtrace+0x17c/0x1a8 arch/arm64/kernel/stacktrace.c:317<br /> show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:324<br /> __dump_stack lib/dump_stack.c:93 [inline]<br /> dump_stack_lvl+0x94/0xc0 lib/dump_stack.c:119<br /> print_report+0x144/0x7a4 mm/kasan/report.c:377<br /> kasan_report+0xcc/0x128 mm/kasan/report.c:601<br /> __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381<br /> kvm_put_kvm+0x300/0xe68 virt/kvm/kvm_main.c:5769<br /> kvm_vm_release+0x4c/0x60 virt/kvm/kvm_main.c:1409<br /> __fput+0x198/0x71c fs/file_table.c:422<br /> ____fput+0x20/0x30 fs/file_table.c:450<br /> task_work_run+0x1cc/0x23c kernel/task_work.c:228<br /> do_notify_resume+0x144/0x1a0 include/linux/resume_user_mode.h:50<br /> el0_svc+0x64/0x68 arch/arm64/kernel/entry-common.c:169<br /> el0t_64_sync_handler+0x90/0xfc arch/arm64/kernel/entry-common.c:730<br /> el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598<br /> <br /> Upon closer inspection, it appears that we do not properly tear down the<br /> MMIO registration for a vCPU that fails creation late in the game, e.g.<br /> a vCPU w/ the same ID already exists in the VM.<br /> <br /> It is important to consider the context of commit that introduced this bug<br /> by moving the unregistration out of __kvm_vgic_vcpu_destroy(). That<br /> change correctly sought to avoid an srcu v. config_lock inversion by<br /> breaking up the vCPU teardown into two parts, one guarded by the<br /> config_lock.<br /> <br /> Fix the use-after-free while avoiding lock inversion by adding a<br /> special-cased unregistration to __kvm_vgic_vcpu_destroy(). This is safe<br /> because failed vCPUs are torn down outside of the config_lock.