4.3 KiB
CVE-2024-26991
Description
In the Linux kernel, the following vulnerability has been resolved:KVM: x86/mmu: x86: Don't overflow lpage_info when checking attributesFix KVM_SET_MEMORY_ATTRIBUTES to not overflow lpage_info array and triggerKASAN splat, as seen in the private_mem_conversions_test selftest.When memory attributes are set on a GFN range, that range will havespecific properties applied to the TDP. A huge page cannot be used whenthe attributes are inconsistent, so they are disabled for those thespecific huge pages. For internal KVM reasons, huge pages are also notallowed to span adjacent memslots regardless of whether the backing memorycould be mapped as huge.What GFNs support which huge page sizes is tracked by an array of arrays'lpage_info' on the memslot, of ‘kvm_lpage_info’ structs. Each index oflpage_info contains a vmalloc allocated array of these for a specificsupported page size. The kvm_lpage_info denotes whether a specific hugepage (GFN and page size) on the memslot is supported. These arrays includeindices for unaligned head and tail huge pages.Preventing huge pages from spanning adjacent memslot is covered byincrementing the count in head and tail kvm_lpage_info when the memslot isallocated, but disallowing huge pages for memory that has mixed attributeshas to be done in a more complicated way. During theKVM_SET_MEMORY_ATTRIBUTES ioctl KVM updates lpage_info for each memslot inthe range that has mismatched attributes. KVM does this a memslot at atime, and marks a special bit, KVM_LPAGE_MIXED_FLAG, in the kvm_lpage_infofor any huge page. This bit is essentially a permanently elevated count.So huge pages will not be mapped for the GFN at that page size if thecount is elevated in either case: a huge head or tail page unaligned tothe memslot or if KVM_LPAGE_MIXED_FLAG is set because it has mixedattributes.To determine whether a huge page has consistent attributes, theKVM_SET_MEMORY_ATTRIBUTES operation checks an xarray to make sure itconsistently has the incoming attribute. Since level - 1 huge pages arealigned to level huge pages, it employs an optimization. As long as thelevel - 1 huge pages are checked first, it can just check these and assumethat if each level - 1 huge page contained within the level sized hugepage is not mixed, then the level size huge page is not mixed. Thisoptimization happens in the helper hugepage_has_attrs().Unfortunately, although the kvm_lpage_info array representing page size'level' will contain an entry for an unaligned tail page of size level,the array for level - 1 will not contain an entry for each GFN at pagesize level. The level - 1 array will only contain an index for anyunaligned region covered by level - 1 huge page size, which can be asmaller region. So this causes the optimization to overflow the level - 1kvm_lpage_info and perform a vmalloc out of bounds read.In some cases of head and tail pages where an overflow could happen,callers skip the operation completely as KVM_LPAGE_MIXED_FLAG is notrequired to prevent huge pages as discussed earlier. But for memslots thatare smaller than the 1GB page size, it does call hugepage_has_attrs(). Inthis case the huge page is both the head and tail page. The issue can beobserved simply by compiling the kernel with CONFIG_KASAN_VMALLOC andrunning the selftest “private_mem_conversions_test”, which produces theoutput like the following:BUG: KASAN: vmalloc-out-of-bounds in hugepage_has_attrs+0x7e/0x110Read of size 4 at addr ffffc900000a3008 by task private_mem_con/169Call Trace: dump_stack_lvl print_report ? __virt_addr_valid ? hugepage_has_attrs ? hugepage_has_attrs kasan_report ? hugepage_has_attrs hugepage_has_attrs kvm_arch_post_set_memory_attributes kvm_vm_ioctlIt is a little ambiguous whether the unaligned head page (in the bug casealso the tail page) should be expected to have KVM_LPAGE_MIXED_FLAG set.It is not functionally required, as the unal---truncated---
POC
Reference
No PoCs from references.