| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Jul 2016 09:43:24 +0200 From: Paolo Bonzini <pbonzini@...hat.com> To: Yang Zhang <yang.zhang.wz@...il.com>, Radim Krčmář <rkrcmar@...hat.com>, linux-kernel@...r.kernel.org, kvm@...r.kernel.org Cc: "Lan, Tianyu" <tianyu.lan@...el.com>, Igor Mammedov <imammedo@...hat.com>, Jan Kiszka <jan.kiszka@....de>, Peter Xu <peterx@...hat.com> Subject: Re: [PATCH v2 04/13] KVM: x86: dynamic kvm_apic_map On 11/07/2016 08:07, Yang Zhang wrote: >> >> mutex_lock(&kvm->arch.apic_map_lock); >> >> + kvm_for_each_vcpu(i, vcpu, kvm) >> + if (kvm_apic_present(vcpu)) >> + max_id = max(max_id, kvm_apic_id(vcpu->arch.apic)); >> + >> + new = kzalloc(sizeof(struct kvm_apic_map) + >> + sizeof(struct kvm_lapic *) * (max_id + 1), >> GFP_KERNEL); >> + > > I think this may cause the host runs out of memory if a malicious guest > did follow thing: > 1. vcpu a is doing apic map recalculation. > 2. vcpu b write the apic id with 0xff > 3. then vcpu b enable the x2apic: in kvm_lapic_set_base(), we will set > apic_base to new value before reset the apic id. > 4. vcpu a may see the x2apic enabled in vcpu b plus an old apic > id(0xff), and max_id will become (0xff >> 24). The bug is not really here but in patch 6---but you're right nevertheless! I guess the easiest solution is to replace kvm_apic_id with a field in struct kvm_lapic, which is already shifted right by 24 in xAPIC mode. It can be added easily in patch 6 itself, it's like 3 new lines of code because all reads and writes go through kvm_apic_id and kvm_apic_set_id; the kvm_apic_id wrapper can be kept for simplicity. Thanks again! Paolo
Powered by blists - more mailing lists