|
Message-ID: <87im0x1lqi.fsf@mpe.ellerman.id.au> Date: Mon, 26 Jul 2021 19:13:25 +1000 From: Michael Ellerman <mpe@...erman.id.au> To: oss-security@...ts.openwall.com Cc: linuxppc-dev@...ts.ozlabs.org Subject: Linux kernel: powerpc: KVM guest to host memory corruption The Linux kernel for powerpc since v3.10 has a bug which allows a malicious KVM guest to corrupt host memory. In the handling of the H_RTAS hypercall, args.rets is made to point into the args.args buffer which is located on the stack: args.rets = &args.args[be32_to_cpu(args.nargs)]; However args.nargs has not been range checked. That allows the guest to point args.rets anywhere up to +16GB from args.args. The guest does not have control of what is written to args.rets, it is always (u32)-3, because subsequent code does check nargs. Additionally the guest will be killed as a result of the nargs being out of range, so a given guest only has a single shot at corrupting memory. Only machines using Linux as the hypervisor, aka. KVM or bare metal, are affected by the bug. The bug was introduced in: 8e591cb72047 ("KVM: PPC: Book3S: Add infrastructure to implement kernel-side RTAS calls") Which was first released in v3.10. The upstream fix is: f62f3c20647e ("KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow") https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f62f3c20647ebd5fb6ecb8f0b477b9281c44c10a Which will be included in the v5.14 release. cheers
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.