Home / exploits Linux kernel kvm memory leak DoS
Posted on 19 November 2013
When a user memory slot is moved (ie. the base_gfn changes), iommu pages are neither unpinned nor unmapped. The memory for these pages then cannot be recovered without rebooting the system. Local user with ability to assign device (with access to PCI sysfs files for a device) could use this flaw to DoS the system. Upstream fixes: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=12d6e7538e2d418c08f082b1b44ffa5fb7270ed8 http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e40f193f5bb022e927a57a4f5d5194e4f12ddb74 -rw-r--r-- virt/kvm/kvm_main.c 6 1 files changed, 3 insertions, 3 deletions diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index a4bf05b..f41ea12 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -791,7 +791,7 @@ int __kvm_set_memory_region(struct kvm *kvm, /* destroy any largepage mappings for dirty tracking */ } - if (!npages) { + if (!npages || base_gfn != old.base_gfn) { struct kvm_memory_slot *slot; r = -ENOMEM; @@ -807,8 +807,8 @@ int __kvm_set_memory_region(struct kvm *kvm, old_memslots = kvm->memslots; rcu_assign_pointer(kvm->memslots, slots); synchronize_srcu_expedited(&kvm->srcu); - /* From this point no new shadow pages pointing to a deleted - * memslot will be created. + /* From this point no new shadow pages pointing to a deleted, + * or moved, memslot will be created. * * validation of sp->gfn happens in: * - gfn_to_hva (kvm_read_guest, gfn_to_pfn) References: https://bugzilla.redhat.com/show_bug.cgi?id=1031702 -- Petr Matousek / Red Hat Security Response Team PGP: 0xC44977CA 8107 AF16 A416 F9AF 18F3 D874 3E78 6F42 C449 77CA
