| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Aug 2015 17:31:17 +0200 From: Radim Krčmář <rkrcmar@...hat.com> To: Paolo Bonzini <pbonzini@...hat.com> Cc: linux-kernel@...r.kernel.org, kvm@...r.kernel.org, dgilbert@...hat.com Subject: Re: [PATCH] KVM: x86: zero IDT limit on entry to SMM 2015-08-07 12:54+0200, Paolo Bonzini: > The recent BlackHat 2015 presentation "The Memory Sinkhole" > mentions that the IDT limit is zeroed on entry to SMM. Slide 64 of https://www.blackhat.com/docs/us-15/materials/us-15-Domas-The-Memory-Sinkhole-Unleashing-An-x86-Design-Flaw-Allowing-Universal-Privilege-Escalation.pdf > This is not documented, and must have changed some time after 2010 > (see http://www.ssi.gouv.fr/uploads/IMG/pdf/IT_Defense_2010_final.pdf). > KVM was not doing it, but the fix is easy. This patch also clears the IDT base. Fetching original IDT is better done from SMM saved state (and an anti-exploit based on comparing those two seems unlikely) so it should be fine, Reviewed-by: Radim Krčmář <rkrcmar@...hat.com> > Signed-off-by: Paolo Bonzini <pbonzini@...hat.com> > --- That takes care of Attack 1. KVM is likely not vulnerable to attack 2 and 3 because of an emergent security feature. (A simple modification of kvm-unit-tests show that mapping APIC base on top of real code/data makes the APIC page hidden and I expect SMM memslot to behave similarly.) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists