Re: [PATCH AUTOSEL 4.19 21/26] Drivers: hv: vmbus: Resolve race condition in vmbus_onoffer_rescind()

2021-02-24 Thread Andrea Parri 
On Wed, Feb 24, 2021 at 07:54:29AM -0500, Sasha Levin wrote:
> From: "Andrea Parri (Microsoft)" 
> 
> [ Upstream commit e4d221b42354b2e2ddb9187a806afb651eee2cda ]
> 
> An erroneous or malicious host could send multiple rescind messages for
> a same channel.  In vmbus_onoffer_rescind(), the guest maps the channel
> ID to obtain a pointer to the channel object and it eventually releases
> such object and associated data.  The host could time rescind messages
> and lead to an use-after-free.  Add a new flag to the channel structure
> to make sure that only one instance of vmbus_onoffer_rescind() can get
> the reference to the channel object.
> 
> Reported-by: Juan Vazquez 
> Signed-off-by: Andrea Parri (Microsoft) 
> Reviewed-by: Michael Kelley 
> Link: https://lore.kernel.org/r/20201209070827.29335-6-parri.and...@gmail.com
> Signed-off-by: Wei Liu 
> Signed-off-by: Sasha Levin 

Same here.

  Andrea


> ---
>  drivers/hv/channel_mgmt.c | 12 
>  include/linux/hyperv.h|  1 +
>  2 files changed, 13 insertions(+)
> 
> diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
> index 7920b0d7e35a7..1322e799938af 100644
> --- a/drivers/hv/channel_mgmt.c
> +++ b/drivers/hv/channel_mgmt.c
> @@ -954,6 +954,18 @@ static void vmbus_onoffer_rescind(struct 
> vmbus_channel_message_header *hdr)
>  
>   mutex_lock(_connection.channel_mutex);
>   channel = relid2channel(rescind->child_relid);
> + if (channel != NULL) {
> + /*
> +  * Guarantee that no other instance of vmbus_onoffer_rescind()
> +  * has got a reference to the channel object.  Synchronize on
> +  * _connection.channel_mutex.
> +  */
> + if (channel->rescind_ref) {
> + mutex_unlock(_connection.channel_mutex);
> + return;
> + }
> + channel->rescind_ref = true;
> + }
>   mutex_unlock(_connection.channel_mutex);
>  
>   if (channel == NULL) {
> diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
> index 35461d49d3aee..59525fe25abde 100644
> --- a/include/linux/hyperv.h
> +++ b/include/linux/hyperv.h
> @@ -736,6 +736,7 @@ struct vmbus_channel {
>   u8 monitor_bit;
>  
>   bool rescind; /* got rescind msg */
> + bool rescind_ref; /* got rescind msg, got channel reference */
>   struct completion rescind_event;
>  
>   u32 ringbuffer_gpadlhandle;
> -- 
> 2.27.0
>

[PATCH AUTOSEL 4.19 21/26] Drivers: hv: vmbus: Resolve race condition in vmbus_onoffer_rescind()

2021-02-24 Thread Sasha Levin 
From: "Andrea Parri (Microsoft)" 

[ Upstream commit e4d221b42354b2e2ddb9187a806afb651eee2cda ]

An erroneous or malicious host could send multiple rescind messages for
a same channel.  In vmbus_onoffer_rescind(), the guest maps the channel
ID to obtain a pointer to the channel object and it eventually releases
such object and associated data.  The host could time rescind messages
and lead to an use-after-free.  Add a new flag to the channel structure
to make sure that only one instance of vmbus_onoffer_rescind() can get
the reference to the channel object.

Reported-by: Juan Vazquez 
Signed-off-by: Andrea Parri (Microsoft) 
Reviewed-by: Michael Kelley 
Link: https://lore.kernel.org/r/20201209070827.29335-6-parri.and...@gmail.com
Signed-off-by: Wei Liu 
Signed-off-by: Sasha Levin 
---
 drivers/hv/channel_mgmt.c | 12 
 include/linux/hyperv.h|  1 +
 2 files changed, 13 insertions(+)

diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
index 7920b0d7e35a7..1322e799938af 100644
--- a/drivers/hv/channel_mgmt.c
+++ b/drivers/hv/channel_mgmt.c
@@ -954,6 +954,18 @@ static void vmbus_onoffer_rescind(struct 
vmbus_channel_message_header *hdr)
 
mutex_lock(_connection.channel_mutex);
channel = relid2channel(rescind->child_relid);
+   if (channel != NULL) {
+   /*
+* Guarantee that no other instance of vmbus_onoffer_rescind()
+* has got a reference to the channel object.  Synchronize on
+* _connection.channel_mutex.
+*/
+   if (channel->rescind_ref) {
+   mutex_unlock(_connection.channel_mutex);
+   return;
+   }
+   channel->rescind_ref = true;
+   }
mutex_unlock(_connection.channel_mutex);
 
if (channel == NULL) {
diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
index 35461d49d3aee..59525fe25abde 100644
--- a/include/linux/hyperv.h
+++ b/include/linux/hyperv.h
@@ -736,6 +736,7 @@ struct vmbus_channel {
u8 monitor_bit;
 
bool rescind; /* got rescind msg */
+   bool rescind_ref; /* got rescind msg, got channel reference */
struct completion rescind_event;
 
u32 ringbuffer_gpadlhandle;
-- 
2.27.0