From 0957aec08110b6bcce4c7c21835d2fe2a0a92005 Mon Sep 17 00:00:00 2001 From: Quentin Perret Date: Thu, 7 Apr 2022 15:26:30 +0000 Subject: [PATCH] ANDROID: KVM: arm64: Fix ToCToU issue when refilling the hyp memcache Xiling reports that the hypervisor dereferences the host memcache struct twice when refilling its own memcache. This allows the host to change its memcache head after it has been admitted and before it is consumed, leading to an arbitrary write in hypervisor memory. Fix this by copying the host memcache on the stack before starting to refill hence guaranteeing its stability. Bug: 228435321 Reported-by: Xiling Gong Signed-off-by: Quentin Perret Change-Id: Ib7c5db203e4a4a7f27eb9f0c0083f4b5c726b4d9 --- arch/arm64/kvm/hyp/nvhe/mm.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/arch/arm64/kvm/hyp/nvhe/mm.c b/arch/arm64/kvm/hyp/nvhe/mm.c index 6239fea7496b..4e86a2123c05 100644 --- a/arch/arm64/kvm/hyp/nvhe/mm.c +++ b/arch/arm64/kvm/hyp/nvhe/mm.c @@ -331,6 +331,12 @@ static void *admit_host_page(void *arg) int refill_memcache(struct kvm_hyp_memcache *mc, unsigned long min_pages, struct kvm_hyp_memcache *host_mc) { - return __topup_hyp_memcache(mc, min_pages, admit_host_page, - hyp_virt_to_phys, host_mc); + struct kvm_hyp_memcache tmp = *host_mc; + int ret; + + ret = __topup_hyp_memcache(mc, min_pages, admit_host_page, + hyp_virt_to_phys, &tmp); + *host_mc = tmp; + + return ret; }