[rlc-8/4.18.0-553.139.1.el8_10] Multiple patches tested (2 commits)#1404
Open
ciq-kernel-automation[bot] wants to merge 2 commits into
Open
Conversation
cve CVE-2026-46113 commit-author Sean Christopherson <seanjc@google.com> commit - commit-source-sha 0cb2af2ea66ad95873455d8a1d0f6f4e13fef645 commit-source https://lore.kernel.org/all/20260626112634.1778506-1-pbonzini@redhat.com/ upstream-diff | This is a HAND-PORT, not a cherry-pick. Upstream commit 0cb2af2 fixes kvm_mmu_get_child_sp() by adding a spte_to_child_sp(*sptep)->gfn == gfn check to its -EEXIST reuse guard. That function (and spte_to_child_sp/kvm_mmu_child_role, the whole get_child_sp/get_shadow_page split) does NOT exist on this 4.18-based tree, which predates the ~6.2 KVM MMU refactor and still uses kvm_mmu_get_page() + link_shadow_page(). On this tree the interior-SPTE reuse happens in the fault-path walkers __direct_map() and FNAME(fetch): after drop_large_spte(), a present non-large SPTE is reused as-is (skipping the kvm_mmu_get_page() alloc path that would validate gfn), with no re-check that the referenced child shadow page still maps the expected gfn. The equivalent guard is therefore applied at each of the three reuse sites via a shared helper kvm_mmu_child_sp_matches(); on mismatch the stale child SPTE is zapped (mmu_page_zap_pte + remote flush) so the correct child is (re)allocated. kvm_mmu_child_role() factors out kvm_mmu_get_page()'s role derivation so the guard and the allocator cannot drift. Functionally equivalent to upstream. Commit 0cb2af2 ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN") fixes a shadow paging mismatch between the stored and computed GFNs. The bug can be triggered by changing a PDE mapping from outside the guest and then deleting a memslot: rmap_remove() misses entries whose leaf SPTE gfn does not match the gfn of the struct kvm_mmu_page. The freed shadow page's rmap entry survives, and later walks of that gfn (dirty logging, MMU notifier invalidation, ...) dereference an sptep in the freed page, causing the use-after-free. Fixes: 2032a93 ("KVM: MMU: Don't allocate gfns page for direct mmu pages") Reported-by: Hyunwoo Kim <imv4bel@gmail.com> Signed-off-by: Shreeya Patel <spatel@ciq.com> (cherry picked from commit 77a7e0c53f10a5e3eb48ae52a8ea7844904f5fff)
cve CVE-2026-53359 commit-author Paolo Bonzini <pbonzini@redhat.com> commit - commit-source-sha 81ccda3 commit-source https://lore.kernel.org/all/20260626112634.1778506-1-pbonzini@redhat.com/ upstream-diff | This is a HAND-PORT, not a cherry-pick. Upstream commit 81ccda3 fixes kvm_mmu_get_child_sp() by adding spte_to_child_sp(*sptep)->role.word == role.word to its -EEXIST reuse guard, on top of the unexpected-GFN check. That function does not exist on this 4.18-based tree (see the prerequisite "unexpected GFN" commit for the full rationale); the equivalent guard lives in the shared helper kvm_mmu_child_sp_matches() applied at the three fault-path reuse sites. This commit adds the role.word comparison to that helper, using kvm_mmu_child_role() to derive the expected role exactly as kvm_mmu_get_page() does. Functionally equivalent to upstream. Commit 0cb2af2 ("KVM: x86: Fix shadow paging use-after-free due to unexpected GFN") fixed a shadow paging mismatch between stored and computed GFNs. A similar hole remains if the modified PDE points to a non-leaf page: the gfn can be made to match, but the role does not. The original large 2MB page creates a kvm_mmu_page with direct=1, while the new 4KB mapping needs one with direct=0; because the reuse path did not compare the role, the direct=1 page was reused. Installing a leaf SPTE then records an rmap entry under the walk's gfn, but when that child is zapped its parent has direct=1 and kvm_mmu_page_get_gfn() computes the gfn as sp->gfn + index instead of using sp->gfns[], so the recorded entry is not removed. When the memslot is dropped the shadow page is freed but the rmap entry survives, and later walks dereference an sptep in the freed page, causing the use-after-free. Fixes: 2032a93 ("KVM: MMU: Don't allocate gfns page for direct mmu pages") Reported-by: Hyunwoo Kim <imv4bel@gmail.com> Signed-off-by: Shreeya Patel <spatel@ciq.com> (cherry picked from commit 1b5de8ad73a7a312c68374860bab5bbce44075a9)
|
🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/28814796100 |
|
✅ Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/28814796100 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR has been automatically created after successful completion of all CI stages.
Commit Message(s)
Reproducing and testing Januscape
Prerequisites
Steps (inside the guest)
makesudo rmmod kvm_intelsudo insmod poc.kosudo rmmod pocsudo insmod poc.koExpected result
The host panics with a KVM shadow-MMU rmap corruption, with a signature like:
Verifying the fix
Install the patched kernel on the host, boot into it, and repeat the same PoC runs from the guest. With the fix applied the host survives all runs (no pte_list_remove)
Test Results
✅ Build Stage
✅ Boot Verification
✅ Kernel Selftests
✅ LTP Results
🤖 This PR was automatically generated by GitHub Actions
Run ID: 28800827773