Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e633b6d8 authored by Stefan Hajnoczi's avatar Stefan Hajnoczi Committed by Alistair Strachan
Browse files

UPSTREAM: vhost/vsock: fix use-after-free in network stack callers 



[ Upstream commit 834e772c8db0c6a275d75315d90aba4ebbb1e249 ]

If the network stack calls .send_pkt()/.cancel_pkt() during .release(),
a struct vhost_vsock use-after-free is possible.  This occurs because
.release() does not wait for other CPUs to stop using struct
vhost_vsock.

Switch to an RCU-enabled hashtable (indexed by guest CID) so that
.release() can wait for other CPUs by calling synchronize_rcu().  This
also eliminates vhost_vsock_lock acquisition in the data path so it
could have a positive effect on performance.

This is CVE-2018-14625 "kernel: use-after-free Read in vhost_transport_send_pkt".

Cc: stable@vger.kernel.org
Reported-and-tested-by: default avatar <syzbot+bd391451452fb0b93039@syzkaller.appspotmail.com>
Reported-by: default avatar <syzbot+e3e074963495f92a89ed@syzkaller.appspotmail.com>
Reported-by: default avatar <syzbot+d5a0a170c5069658b141@syzkaller.appspotmail.com>
Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
Acked-by: default avatarJason Wang <jasowang@redhat.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
(cherry picked from commit 569fc4ffb5de8f12fe01759f0b85098b7b9bba8e)
Bug: 121166534
Test: Ran cuttlefish with android-4.4 + vsock adb tunnel
Signed-off-by: default avatarCody Schuffelen <schuffelen@google.com>
Change-Id: I87f1e0fbe3fc01ccc18924085e33220373856e29
parent eb2ca3c1
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment