mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-07 13:43:51 +00:00
KVM: Ensure new code that references immediate_exit gets extra scrutiny
Ensure that any new KVM code that references immediate_exit gets extra scrutiny by renaming it to immediate_exit__unsafe in kernel code. All fields in struct kvm_run are subject to TOCTOU races since they are mapped into userspace, which may be malicious or buggy. To protect KVM, introduces a new macro that appends __unsafe to select field names in struct kvm_run, hinting to developers and reviewers that accessing such fields must be done carefully. Apply the new macro to immediate_exit, since userspace can make immediate_exit inconsistent with vcpu->wants_to_run, i.e. accessing immediate_exit directly could lead to unexpected bugs in the future. Signed-off-by: David Matlack <dmatlack@google.com> Link: https://lore.kernel.org/r/20240503181734.1467938-3-dmatlack@google.com [sean: massage changelog] Signed-off-by: Sean Christopherson <seanjc@google.com>
This commit is contained in:
parent
a6816314af
commit
4b23e0c199
@ -192,11 +192,24 @@ struct kvm_xen_exit {
|
||||
/* Flags that describe what fields in emulation_failure hold valid data. */
|
||||
#define KVM_INTERNAL_ERROR_EMULATION_FLAG_INSTRUCTION_BYTES (1ULL << 0)
|
||||
|
||||
/*
|
||||
* struct kvm_run can be modified by userspace at any time, so KVM must be
|
||||
* careful to avoid TOCTOU bugs. In order to protect KVM, HINT_UNSAFE_IN_KVM()
|
||||
* renames fields in struct kvm_run from <symbol> to <symbol>__unsafe when
|
||||
* compiled into the kernel, ensuring that any use within KVM is obvious and
|
||||
* gets extra scrutiny.
|
||||
*/
|
||||
#ifdef __KERNEL__
|
||||
#define HINT_UNSAFE_IN_KVM(_symbol) _symbol##__unsafe
|
||||
#else
|
||||
#define HINT_UNSAFE_IN_KVM(_symbol) _symbol
|
||||
#endif
|
||||
|
||||
/* for KVM_RUN, returned by mmap(vcpu_fd, offset=0) */
|
||||
struct kvm_run {
|
||||
/* in */
|
||||
__u8 request_interrupt_window;
|
||||
__u8 immediate_exit;
|
||||
__u8 HINT_UNSAFE_IN_KVM(immediate_exit);
|
||||
__u8 padding1[6];
|
||||
|
||||
/* out */
|
||||
|
@ -4435,7 +4435,7 @@ static long kvm_vcpu_ioctl(struct file *filp,
|
||||
synchronize_rcu();
|
||||
put_pid(oldpid);
|
||||
}
|
||||
vcpu->wants_to_run = !READ_ONCE(vcpu->run->immediate_exit);
|
||||
vcpu->wants_to_run = !READ_ONCE(vcpu->run->immediate_exit__unsafe);
|
||||
r = kvm_arch_vcpu_ioctl_run(vcpu);
|
||||
vcpu->wants_to_run = false;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user