projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 52b993b) | patch
vhost/vsock: fix use-after-free in network stack callers
authorStefan Hajnoczi <stefanha@redhat.com>
Mon, 5 Nov 2018 10:35:47 +0000 (10:35 +0000)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 13 Dec 2018 08:18:52 +0000 (09:18 +0100)
commitf15c072d6576c5e2b693c22e39ccc9103c952078
tree6313f9c07f35a4bb0875de29ee0f2b5442a13fe9tree | snapshot (tar.gz zip)
parent52b993b4c4c2a88b62601b0cc0662a564e1d65dccommit | diff
vhost/vsock: fix use-after-free in network stack callers

commit 834e772c8db0c6a275d75315d90aba4ebbb1e249 upstream.

If the network stack calls .send_pkt()/.cancel_pkt() during .release(),
a struct vhost_vsock use-after-free is possible.  This occurs because
.release() does not wait for other CPUs to stop using struct
vhost_vsock.

Switch to an RCU-enabled hashtable (indexed by guest CID) so that
.release() can wait for other CPUs by calling synchronize_rcu().  This
also eliminates vhost_vsock_lock acquisition in the data path so it
could have a positive effect on performance.

This is CVE-2018-14625 "kernel: use-after-free Read in vhost_transport_send_pkt".

Cc: stable@vger.kernel.org
Reported-and-tested-by: syzbot+bd391451452fb0b93039@syzkaller.appspotmail.com
Reported-by: syzbot+e3e074963495f92a89ed@syzkaller.appspotmail.com
Reported-by: syzbot+d5a0a170c5069658b141@syzkaller.appspotmail.com
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/vhost/vsock.c diff | blob | blame | history