Commit 4b23e0c1 authored by David Matlack's avatar David Matlack Committed by Sean Christopherson

KVM: Ensure new code that references immediate_exit gets extra scrutiny

Ensure that any new KVM code that references immediate_exit gets extra
scrutiny by renaming it to immediate_exit__unsafe in kernel code.

All fields in struct kvm_run are subject to TOCTOU races since they are
mapped into userspace, which may be malicious or buggy. To protect KVM,
introduces a new macro that appends __unsafe to select field names in
struct kvm_run, hinting to developers and reviewers that accessing such
fields must be done carefully.

Apply the new macro to immediate_exit, since userspace can make
immediate_exit inconsistent with vcpu->wants_to_run, i.e. accessing
immediate_exit directly could lead to unexpected bugs in the future.
Signed-off-by: default avatarDavid Matlack <dmatlack@google.com>
Link: https://lore.kernel.org/r/20240503181734.1467938-3-dmatlack@google.com
[sean: massage changelog]
Signed-off-by: default avatarSean Christopherson <seanjc@google.com>
parent a6816314
...@@ -192,11 +192,24 @@ struct kvm_xen_exit { ...@@ -192,11 +192,24 @@ struct kvm_xen_exit {
/* Flags that describe what fields in emulation_failure hold valid data. */ /* Flags that describe what fields in emulation_failure hold valid data. */
#define KVM_INTERNAL_ERROR_EMULATION_FLAG_INSTRUCTION_BYTES (1ULL << 0) #define KVM_INTERNAL_ERROR_EMULATION_FLAG_INSTRUCTION_BYTES (1ULL << 0)
/*
* struct kvm_run can be modified by userspace at any time, so KVM must be
* careful to avoid TOCTOU bugs. In order to protect KVM, HINT_UNSAFE_IN_KVM()
* renames fields in struct kvm_run from <symbol> to <symbol>__unsafe when
* compiled into the kernel, ensuring that any use within KVM is obvious and
* gets extra scrutiny.
*/
#ifdef __KERNEL__
#define HINT_UNSAFE_IN_KVM(_symbol) _symbol##__unsafe
#else
#define HINT_UNSAFE_IN_KVM(_symbol) _symbol
#endif
/* for KVM_RUN, returned by mmap(vcpu_fd, offset=0) */ /* for KVM_RUN, returned by mmap(vcpu_fd, offset=0) */
struct kvm_run { struct kvm_run {
/* in */ /* in */
__u8 request_interrupt_window; __u8 request_interrupt_window;
__u8 immediate_exit; __u8 HINT_UNSAFE_IN_KVM(immediate_exit);
__u8 padding1[6]; __u8 padding1[6];
/* out */ /* out */
......
...@@ -4435,7 +4435,7 @@ static long kvm_vcpu_ioctl(struct file *filp, ...@@ -4435,7 +4435,7 @@ static long kvm_vcpu_ioctl(struct file *filp,
synchronize_rcu(); synchronize_rcu();
put_pid(oldpid); put_pid(oldpid);
} }
vcpu->wants_to_run = !READ_ONCE(vcpu->run->immediate_exit); vcpu->wants_to_run = !READ_ONCE(vcpu->run->immediate_exit__unsafe);
r = kvm_arch_vcpu_ioctl_run(vcpu); r = kvm_arch_vcpu_ioctl_run(vcpu);
vcpu->wants_to_run = false; vcpu->wants_to_run = false;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment