lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20141027200811.GB5470@pd.tnic>
Date:	Mon, 27 Oct 2014 21:08:11 +0100
From:	Borislav Petkov <bp@...e.de>
To:	Paolo Bonzini <pbonzini@...hat.com>
Cc:	linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
	namit@...technion.ac.il, stable@...r.kernel.org
Subject: Re: [PATCH] KVM: emulator: fix execution close to the segment limit

On Mon, Oct 27, 2014 at 03:31:46PM +0100, Paolo Bonzini wrote:
> Emulation of code that is 14 bytes to the segment limit or closer
> (e.g. RIP = 0xFFFFFFF2 after reset) is broken because we try to read as
> many as 15 bytes from the beginning of the instruction, and __linearize
> fails when the passed (address, size) pair reaches out of the segment.
> 
> To fix this, let __linearize return the maximum accessible size (clamped
> to 2^32-1) for usage in __do_insn_fetch_bytes, and avoid the limit check
> by passing zero for the desired size.
> 
> For expand-down segments, __linearize is performing a redundant check.
> (u32)(addr.ea + size - 1) <= lim can only happen if addr.ea is close
> to 4GB; in this case, addr.ea + size - 1 will also fail the check against
> the upper bound of the segment (which is provided by the D/B bit).
> After eliminating the redundant check, it is simple to compute
> the *max_size for expand-down segments too.
> 
> Now that the limit check is done in __do_insn_fetch_bytes, we want
> to inject a general protection fault there if size < op_size (like
> __linearize would have done), instead of just aborting.
> 
> This fixes booting Tiano Core from emulated flash with EPT disabled.
> 
> Cc: stable@...r.kernel.org
> Fixes: 719d5a9b2487e0562f178f61e323c3dc18a8b200
> Reported-by: Borislav Petkov <bp@...e.de>
> Signed-off-by: Paolo Bonzini <pbonzini@...hat.com>

Thanks Paolo, the ept=0 case seems to work now. I'll stress it more
later this week.

Tested-by: Borislav Petkov <bp@...e.de>

-- 
Regards/Gruss,
    Boris.

Sent from a fat crate under my desk. Formatting is fine.
--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ