Re: [PATCH stable 6.1.y 1/2] KVM: arm64: Prevent the donation of no-map pages

From: Marc Zyngier
Date: Fri Sep 22 2023 - 06:08:44 EST


On Thu, 21 Sep 2023 23:22:54 +0100,
"Jitindar Singh, Suraj" <surajjs@xxxxxxxxxx> wrote:
>
> On Thu, 2023-09-21 at 08:13 +0100, Marc Zyngier wrote:
> > On Wed, 20 Sep 2023 20:27:28 +0100,
> > Suraj Jitindar Singh <surajjs@xxxxxxxxxx> wrote:
> > >
> > > From: Quentin Perret <qperret@xxxxxxxxxx>
> > >
> > > commit 43c1ff8b75011bc3e3e923adf31ba815864a2494 upstream.
> > >
> > > Memory regions marked as "no-map" in the host device-tree routinely
> > > include TrustZone carev-outs and DMA pools. Although donating such
> > > pages
> > > to the hypervisor may not breach confidentiality, it could be used
> > > to
> > > corrupt its state in uncontrollable ways. To prevent this, let's
> > > block
> > > host-initiated memory transitions targeting "no-map" pages
> > > altogether in
> > > nVHE protected mode as there should be no valid reason to do this
> > > in
> > > current operation.
> > >
> > > Thankfully, the pKVM EL2 hypervisor has a full copy of the host's
> > > list
> > > of memblock regions, so we can easily check for the presence of the
> > > MEMBLOCK_NOMAP flag on a region containing pages being donated from
> > > the
> > > host.
> > >
> > > Reviewed-by: Philippe Mathieu-Daudé <philmd@xxxxxxxxxx>
> > > Tested-by: Vincent Donnefort <vdonnefort@xxxxxxxxxx>
> > > Signed-off-by: Quentin Perret <qperret@xxxxxxxxxx>
> > > Signed-off-by: Will Deacon <will@xxxxxxxxxx>
> > > Signed-off-by: Marc Zyngier <maz@xxxxxxxxxx>
> > > Link:
> > > https://lore.kernel.org/r/20221110190259.26861-8-will@xxxxxxxxxx
> > > [ bp: clean ]
> >
> > What is this?
>
> Noting any details about the backport. In this case it was a clean
> backport.

I don't think this has anything to do here. If you want to add a note
indicating what was changed in the patch, make it *extremely* visible
in the commit message, and not hidden as some obscure form of
metadata.

>
> >
> > > Signed-off-by: Suraj Jitindar Singh <surajjs@xxxxxxxxxx>
> >
> > What is the rationale for backporting this? It wasn't tagged as Cc:
> > to
> > stable for a reason: pKVM isn't functional upstream, and won't be for
> > the next couple of cycles *at least*.
> >
> > So at it stands, I'm against such a backport.
> >
>
> The 2 patches were backported to address CVE-2023-21264.
> This one provides context for the proceeding patch.

I care about CVEs as much as I care about holes in my socks (i.e. very
little). If there is a concern, it should be brought up on the list as
a discussion, and not as a consequence of some script kiddie
automatically generating CVEs.

> I wasn't aware that it's non functional. Does this mean that the code
> won't be compiled or just that it can't actually be run currently from
> the upstream codebase?

This code is inactive unless you pass the correct option on the
command line, and as it is brings zero benefit over standard KVM. The
only place this matters is in the Android kernel, as it has full
support for pKVM, and has the fix already. We carry it upstream at a
courtesy to the pKVM developers, but that's about it.

> I guess I'm trying to understand if the conditions of the CVE are a
> real concern even if it isn't technically functional.

This CVE is a waste of precious bytes, and I have no interest in
seeing this backported.

Thanks,

M.

--
Without deviation from the norm, progress is not possible.