CVE-2023-54007

In the Linux kernel, the following vulnerability has been resolved:

vmcihost: fix a race condition in vmcihost_poll() causing GPF

During fuzzing, a general protection fault is observed in vmcihostpoll().

general protection fault, probably for non-canonical address 0xdffffc0000000019: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x00000000000000c8-0x00000000000000cf] RIP: 0010:__lockacquire+0xf3/0x5e00 kernel/locking/lockdep.c:4926 <- omitting registers -> Call Trace: <TASK> lockacquire+0x1a4/0x4a0 kernel/locking/lockdep.c:5672 __rawspinlockirqsave include/linux/spinlockapismp.h:110 [inline] rawspinlockirqsave+0xb3/0x100 kernel/locking/spinlock.c:162 addwaitqueue+0x3d/0x260 kernel/sched/wait.c:22 pollwait include/linux/poll.h:49 [inline] vmcihostpoll+0xf8/0x2b0 drivers/misc/vmwvmci/vmcihost.c:174 vfspoll include/linux/poll.h:88 [inline] dopollfd fs/select.c:873 [inline] dopoll fs/select.c:921 [inline] dosys_poll+0xc7c/0x1aa0 fs/select.c:1015 __dosysppoll fs/select.c:1121 [inline] __sesysppoll+0x2cc/0x330 fs/select.c:1101 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x4e/0xa0 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x46/0xb0

Example thread interleaving that causes the general protection fault is as follows:

CPU1 (vmcihostpoll) CPU2 (vmcihostdoinitcontext) ----- ----- // Read uninitialized context context = vmcihostdev->context; // Initialize context vmcihostdev->context = vmcictxcreate(); vmcihostdev->cttype = VMCIOBJCONTEXT;

if (vmcihostdev->cttype == VMCIOBJCONTEXT) { // Dereferencing the wrong pointer pollwait(..., &context->hostcontext); }

In this scenario, vmcihostpoll() reads vmcihostdev->context first, and then reads vmcihostdev->cttype to check that vmcihost_dev->context is initialized. However, since these two reads are not atomically executed, there is a chance of a race condition as described above.

To fix this race condition, read vmcihostdev->context after checking the value of vmcihostdev->cttype so that vmcihost_poll() always reads an initialized context.