From nobody Wed Oct 02 16:59:00 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XJgxw4MKJz5XnLt; Wed, 02 Oct 2024 16:59:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XJgxw3cScz4FPf; Wed, 2 Oct 2024 16:59:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727888340; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SfoY1rGkECWQipEWcN8Q/2Qy/DwGAFa9L2SNJpT1kxY=; b=wrs5XndsEm8Pe9WyFmI1b6pzY5m2gjNCktxV8K2nsKF0QZQpW2hOPk9Vq847tdJlXvxFQF crj1nvAR5YP5PPXVjPzi2BKq2boEDQ/l3qmlQY1iCSqX76oamUGIkG0NkdKxS02p3NrqVZ MgLP0YeaZ/xKpP40d48He+P9vv/yfZtBfP6x3TpxOd0yxlMGlCEmJyo03no30iaCFueI3r rv0qLEP92+b0EDX7A5RYHAddSL6Ajvtfooo8eXk3Ltl05T8neFUJnaPj2StPc9P7fF7E3g dGWYGzm50tNyv6uN0DV+O6lQBJI+vQ2bubSJB4lV2/PYE33Z3t+tlv6itElOaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1727888340; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=SfoY1rGkECWQipEWcN8Q/2Qy/DwGAFa9L2SNJpT1kxY=; b=htjZV535KsS6bmVtHqm8yEL2/lTR68VyHflytJCsV8rx0IJU8MDJCJBwew2PXBbk451LGE RnWO82OMhDZRcS2SrRazbNBywfIoBA4FMCJGv9QRRZqv7Zt4owSP5d0fADDVRC42cFX3Kv BPRsFTusl2SZ0hl0VNgLLXeIQw3AitDYw1iMCrvpvHjyF1zU9OrKJTEL045uWJ/2r8q1ko VKaosQQIeXYBsp+YjL6JAv5Ic2rz0B3cZZhymK3hmFTSpqqbChsv934ySOAladkGHl3C0H bbX55rTPDq1mpL7JaYQO7xCguSfat/RbuKeHAXcIvYtvRTuXcZsThJ/2GcZsYw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1727888340; a=rsa-sha256; cv=none; b=sOpurHh6Ut5gf1268B/goCdD3oBiGnzH3TnasC2OaL/RaQ0/SwryElYRplqrxm6Ea0O11U OI55wD+RdHUVw/ny1xVBZKSRtYDKCGScp1zfFtuy6mFSMTjWmS4v6khgtEiCblyXp8UQBZ 5LpB1pMoxkdppqajZQQs12kLOSmq9n/1wr9r3LPZ3oZy77+IuwnThDijf5S2Ykhh9ybP9a U30pkp+BIvQcSytbgtupovU98Bnkf4W/j927T2gqW7VE0+9X4743hDKwancB1WHqWGFjA1 29S12ZDiqaDBh9LCxWwhWnTjWsEnGzpUZ+jbKYXhVpmuqNIaXIB7XnR6zYSUVQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XJgxw3627zFDS; Wed, 2 Oct 2024 16:59:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 492Gx0ug054036; Wed, 2 Oct 2024 16:59:00 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 492Gx0El054033; Wed, 2 Oct 2024 16:59:00 GMT (envelope-from git) Date: Wed, 2 Oct 2024 16:59:00 GMT Message-Id: <202410021659.492Gx0El054033@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Ed Maste Subject: git: d19fa9c1b72b - main - vmm: avoid potential KASSERT kernel panic in vm_handle_db List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: d19fa9c1b72bc52e51524abcc59ad844012ec365 Auto-Submitted: auto-generated The branch main has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=d19fa9c1b72bc52e51524abcc59ad844012ec365 commit d19fa9c1b72bc52e51524abcc59ad844012ec365 Author: Pierre Pronchery AuthorDate: 2024-07-25 14:40:35 +0000 Commit: Ed Maste CommitDate: 2024-10-02 16:58:45 +0000 vmm: avoid potential KASSERT kernel panic in vm_handle_db If the guest VM emits the exit code VM_EXITCODE_DB the kernel will execute the function named vm_handle_db. If the value of rsp is not page aligned and if rsp+sizeof(uint64_t) spans across two pages, the function vm_copy_setup will need two structs vm_copyinfo to prepare the copy operation. For instance is rsp value is 0xFFC, two vm_copyinfo objects are needed: * address=0xFFC, len=4 * address=0x1000, len=4 The vulnerability was addressed by commit 51fda658baa ("vmm: Properly handle writes spanning across two pages in vm_handle_db"). Still, replace the KASSERT with an error return as a more defensive approach. Reported by: Synacktiv Reviewed by markj, emaste Security: HYP-09 Sponsored by: The Alpha-Omega Project Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D46133 --- sys/amd64/vmm/vmm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/amd64/vmm/vmm.c b/sys/amd64/vmm/vmm.c index 5484d71cefd2..12ebc1671641 100644 --- a/sys/amd64/vmm/vmm.c +++ b/sys/amd64/vmm/vmm.c @@ -2810,7 +2810,8 @@ vm_copy_setup(struct vcpu *vcpu, struct vm_guest_paging *paging, nused = 0; remaining = len; while (remaining > 0) { - KASSERT(nused < num_copyinfo, ("insufficient vm_copyinfo")); + if (nused >= num_copyinfo) + return (EFAULT); error = vm_gla2gpa(vcpu, paging, gla, prot, &gpa, fault); if (error || *fault) return (error);