lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Mar 2016 20:48:03 -0700 From: Andy Lutomirski <luto@...capital.net> To: Xiao Guangrong <guangrong.xiao@...ux.intel.com> Cc: David Matlack <dmatlack@...gle.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, X86 ML <x86@...nel.org>, kvm list <kvm@...r.kernel.org>, Paolo Bonzini <pbonzini@...hat.com>, Ingo Molnar <mingo@...hat.com>, Andy Lutomirski <luto@...nel.org>, "H. Peter Anvin" <hpa@...or.com>, Eric Northup <digitaleric@...gle.com> Subject: Re: [PATCH 0/1] KVM: x86: using the fpu in interrupt context with a guest's xcr0 On Tue, Mar 15, 2016 at 8:43 PM, Xiao Guangrong <guangrong.xiao@...ux.intel.com> wrote: > > > On 03/16/2016 03:01 AM, David Matlack wrote: >> >> On Mon, Mar 14, 2016 at 12:46 AM, Xiao Guangrong >> <guangrong.xiao@...ux.intel.com> wrote: >>> >>> >>> >>> On 03/12/2016 04:47 AM, David Matlack wrote: >>> >>>> I have not been able to trigger this bug on Linux 4.3, and suspect >>>> it is due to this commit from Linux 4.2: >>>> >>>> 653f52c kvm,x86: load guest FPU context more eagerly >>>> >>>> With this commit, as long as the host is using eagerfpu, the guest's >>>> fpu is always loaded just before the guest's xcr0 (vcpu->fpu_active >>>> is always 1 in the following snippet): >>>> >>>> 6569 if (vcpu->fpu_active) >>>> 6570 kvm_load_guest_fpu(vcpu); >>>> 6571 kvm_load_guest_xcr0(vcpu); >>>> >>>> When the guest's fpu is loaded, irq_fpu_usable() returns false. >>> >>> >>> >>> Er, i did not see that commit introduced this change. >>> >>>> >>>> We've included our workaround for this bug, which applies to Linux 3.11. >>>> It does not apply cleanly to HEAD since the fpu subsystem was refactored >>>> in Linux 4.2. While the latest kernel does not look vulnerable, we may >>>> want to apply a fix to the vulnerable stable kernels. >>> >>> >>> >>> Is the latest kvm safe if we use !eager fpu? >> >> >> Yes I believe so. When !eagerfpu, interrupted_kernel_fpu_idle() >> returns "!current->thread.fpu.fpregs_active && (read_cr0() & >> X86_CR0_TS)". This should ensure the interrupt handler never does >> XSAVE/XRSTOR with the guest's xcr0. > > > > interrupted_kernel_fpu_idle() returns true if KVM-based hypervisor (e.g. > QEMU) > is not using fpu. That can not stop handler using fpu. Why is it safe to rely on interrupted_kernel_fpu_idle? That function is for interrupts, but is there any reason that KVM can't be preempted (or explicitly schedule) with XCR0 having some funny value? --Andy -- Andy Lutomirski AMA Capital Management, LLC
Powered by blists - more mailing lists