lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 7 Apr 2020 21:25:56 +0000
From:   David Laight <David.Laight@...LAB.COM>
To:     'Peter Zijlstra' <peterz@...radead.org>,
        "tglx@...utronix.de" <tglx@...utronix.de>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
CC:     "hch@...radead.org" <hch@...radead.org>,
        "sean.j.christopherson@...el.com" <sean.j.christopherson@...el.com>,
        "mingo@...hat.com" <mingo@...hat.com>,
        "bp@...en8.de" <bp@...en8.de>, "hpa@...or.com" <hpa@...or.com>,
        "x86@...nel.org" <x86@...nel.org>,
        "kenny@...ix.com" <kenny@...ix.com>,
        "jeyu@...nel.org" <jeyu@...nel.org>,
        "rasmus.villemoes@...vas.dk" <rasmus.villemoes@...vas.dk>,
        "pbonzini@...hat.com" <pbonzini@...hat.com>,
        "fenghua.yu@...el.com" <fenghua.yu@...el.com>,
        "xiaoyao.li@...el.com" <xiaoyao.li@...el.com>,
        "nadav.amit@...il.com" <nadav.amit@...il.com>,
        "thellstrom@...are.com" <thellstrom@...are.com>,
        "tony.luck@...el.com" <tony.luck@...el.com>,
        "rostedt@...dmis.org" <rostedt@...dmis.org>,
        "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "jannh@...gle.com" <jannh@...gle.com>,
        "keescook@...omium.org" <keescook@...omium.org>,
        "dcovelli@...are.com" <dcovelli@...are.com>,
        "mhiramat@...nel.org" <mhiramat@...nel.org>
Subject: RE: [PATCH 3/4] x86,module: Detect VMX vs SLD conflicts

From: Peter Zijlstra
> Sent: 07 April 2020 12:03
> 
> It turns out that with Split-Lock-Detect enabled (default) any VMX
> hypervisor needs at least a little modification in order to not blindly
> inject the #AC into the guest without the guest being ready for it.
> 
> Since there is no telling which module implements a hypervisor, scan
> all out-of-tree modules' text and look for VMX instructions and refuse
> to load it when SLD is enabled (default) and the module isn't marked
> 'sld_safe'.
...
> +	while (text < text_end) {
> +		kernel_insn_init(&insn, text, text_end - text);
> +		insn_get_length(&insn);
> +
> +		if (WARN_ON_ONCE(!insn_complete(&insn))) {
> +			pr_err("Module text malformed: %s\n", mod->name);
> +			return -ENOEXEC;
> +		}
> +
> +		if (!allow_vmx && insn_is_vmx(&insn)) {
> +			pr_err("Module has VMX instructions and is not marked 'sld_safe', boot with:
> 'split_lock_detect=off': %s\n", mod->name);
> +			return -ENOEXEC;
> +		}
> +
> +		text += insn.length;
> +	}

There is a slight flaw in the above.
A malicious module can hide the required instruction by jumping into the
middle of a long instruction.

Even checking branch targets hit instruction barriers isn't enough,
an indirect jump could be used.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists