| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 Apr 2016 15:03:39 -0400 (EDT)
From: Paolo Bonzini <pbonzini@...hat.com>
To: David Matlack <dmatlack@...gle.com>
Cc: kvm list <kvm@...r.kernel.org>, linux-kernel@...r.kernel.org,
Andy Lutomirski <luto@...capital.net>, stable@...r.kernel.org
Subject: Re: [PATCH] kvm: x86: do not leak guest xcr0 into host interrupt
handlers
----- Original Message -----
> >>> While running my acceptance tests, in one case I got one CPU whose xcr0
> >>> had leaked into the host. This showed up as a SIGILL in strncasecmp's
> >>> AVX code, and a simple program confirmed it:
> >>>
> >>> $ cat xgetbv.c
> >>> #include <stdio.h>
> >>> int main(void)
> >>> {
> >>> unsigned xcr0_h, xcr0_l;
> >>> asm("xgetbv" : "=d"(xcr0_h), "=a"(xcr0_l) : "c"(0));
> >>> printf("%08x:%08x\n", xcr0_h, xcr0_l);
> >>> }
> >>> $ gcc xgetbv.c -O2
> >>> $ for i in `seq 0 55`; do echo $i `taskset -c $i ./a.out`; done|grep
> >>> -v 007
> >>> 19 00000000:00000003
> >>>
> >>> I'm going to rerun the tests without this patch, as it seems the most
> >>> likely culprit, and leave it out of the pull request if they pass.
> >>
> >> Agreed this is a very likely culprit. I think I see one way the
> >> guest's xcr0 can leak into the host.
> >
> > That's cancel_injection, right? If it's just about moving the load call
> > below, I can do that. Hmm, I will even test that today. :)
>
> Yes that's what I was thinking, move kvm_load_guest_xcr0 below that if.
>
> Thank you :). Let me know how testing goes.
It went well.
Paolo
Powered by blists - more mailing lists