ANDROID: KVM: arm64: Fix ToCToU issue when refilling the hyp memcache

Xiling reports that the hypervisor dereferences the host memcache struct twice when refilling its own memcache. This allows the host to change its memcache head after it has been admitted and before it is consumed, leading to an arbitrary write in hypervisor memory. Fix this by copying the host memcache on the stack before starting to refill hence guaranteeing its stability. Bug: 228435321 Reported-by: Xiling Gong <xiling@google.com> Signed-off-by: Quentin Perret <qperret@google.com> Change-Id: Ib7c5db203e4a4a7f27eb9f0c0083f4b5c726b4d9
2026-03-25 20:10:23 +09:00 · 2022-04-07 15:26:30 +00:00
parent 8fe46774c6
commit 74ff6e66d2
1 changed files with 8 additions and 2 deletions
--- a/arch/arm64/kvm/hyp/nvhe/mm.c
+++ b/arch/arm64/kvm/hyp/nvhe/mm.c
@@ -331,6 +331,12 @@ static void *admit_host_page(void *arg)
 int refill_memcache(struct kvm_hyp_memcache *mc, unsigned long min_pages,
 		    struct kvm_hyp_memcache *host_mc)
 {
-	return __topup_hyp_memcache(mc, min_pages, admit_host_page,
-				    hyp_virt_to_phys, host_mc);
+	struct kvm_hyp_memcache tmp = *host_mc;
+	int ret;
+
+	ret =  __topup_hyp_memcache(mc, min_pages, admit_host_page,
+				    hyp_virt_to_phys, &tmp);
+	*host_mc = tmp;
+
+	return ret;
 }