kernel-fxtec-pro1x/virt/kvm
Jann Horn 24b027d2b1 kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
commit cfa39381173d5f969daf43582c95ad679189cbc9 upstream.

kvm_ioctl_create_device() does the following:

1. creates a device that holds a reference to the VM object (with a borrowed
   reference, the VM's refcount has not been bumped yet)
2. initializes the device
3. transfers the reference to the device to the caller's file descriptor table
4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
   reference

The ownership transfer in step 3 must not happen before the reference to the VM
becomes a proper, non-borrowed reference, which only happens in step 4.
After step 3, an attacker can close the file descriptor and drop the borrowed
reference, which can cause the refcount of the kvm object to drop to zero.

This means that we need to grab a reference for the device before
anon_inode_getfd(), otherwise the VM can disappear from under us.

Fixes: 852b6d57dc ("kvm: add device control API")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-02-12 19:47:25 +01:00
..
arm arm64: KVM: Skip MMIO insn after emulation 2019-02-12 19:47:12 +01:00
async_pf.c sched/swait: Rename to exclusive 2018-06-20 11:35:56 +02:00
async_pf.h KVM: fix checkpatch.pl errors in kvm/async_pf.h 2015-06-19 17:16:25 +02:00
coalesced_mmio.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
coalesced_mmio.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
eventfd.c Miscellaneous bugfixes, plus a small patchlet related to Spectre v2. 2018-07-18 11:08:44 -07:00
irqchip.c KVM: use rcu access function for irq routing 2017-07-07 15:24:15 +02:00
Kconfig KVM: arm64: Prevent KVM_COMPAT from being selected 2018-06-21 17:17:50 +01:00
kvm_main.c kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) 2019-02-12 19:47:25 +01:00
vfio.c vfio: New external user group/file match 2017-06-28 13:50:05 -06:00
vfio.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00