| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <57062382.6070005@redhat.com>
Date: Thu, 7 Apr 2016 11:08:18 +0200
From: Paolo Bonzini <pbonzini@...hat.com>
To: David Matlack <dmatlack@...gle.com>
Cc: kvm list <kvm@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
Andy Lutomirski <luto@...capital.net>, stable@...r.kernel.org
Subject: Re: [PATCH] kvm: x86: do not leak guest xcr0 into host interrupt
handlers
On 05/04/2016 17:56, David Matlack wrote:
> On Tue, Apr 5, 2016 at 4:28 AM, Paolo Bonzini <pbonzini@...hat.com> wrote:
>>
> ...
>>
>> While running my acceptance tests, in one case I got one CPU whose xcr0
>> had leaked into the host. This showed up as a SIGILL in strncasecmp's
>> AVX code, and a simple program confirmed it:
>>
>> $ cat xgetbv.c
>> #include <stdio.h>
>> int main(void)
>> {
>> unsigned xcr0_h, xcr0_l;
>> asm("xgetbv" : "=d"(xcr0_h), "=a"(xcr0_l) : "c"(0));
>> printf("%08x:%08x\n", xcr0_h, xcr0_l);
>> }
>> $ gcc xgetbv.c -O2
>> $ for i in `seq 0 55`; do echo $i `taskset -c $i ./a.out`; done|grep -v 007
>> 19 00000000:00000003
>>
>> I'm going to rerun the tests without this patch, as it seems the most
>> likely culprit, and leave it out of the pull request if they pass.
>
> Agreed this is a very likely culprit. I think I see one way the
> guest's xcr0 can leak into the host.
That's cancel_injection, right? If it's just about moving the load call
below, I can do that. Hmm, I will even test that today. :)
Paolo
Powered by blists - more mailing lists