lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Apr 2020 21:25:56 +0000 From: David Laight <David.Laight@...LAB.COM> To: 'Peter Zijlstra' <peterz@...radead.org>, "tglx@...utronix.de" <tglx@...utronix.de>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> CC: "hch@...radead.org" <hch@...radead.org>, "sean.j.christopherson@...el.com" <sean.j.christopherson@...el.com>, "mingo@...hat.com" <mingo@...hat.com>, "bp@...en8.de" <bp@...en8.de>, "hpa@...or.com" <hpa@...or.com>, "x86@...nel.org" <x86@...nel.org>, "kenny@...ix.com" <kenny@...ix.com>, "jeyu@...nel.org" <jeyu@...nel.org>, "rasmus.villemoes@...vas.dk" <rasmus.villemoes@...vas.dk>, "pbonzini@...hat.com" <pbonzini@...hat.com>, "fenghua.yu@...el.com" <fenghua.yu@...el.com>, "xiaoyao.li@...el.com" <xiaoyao.li@...el.com>, "nadav.amit@...il.com" <nadav.amit@...il.com>, "thellstrom@...are.com" <thellstrom@...are.com>, "tony.luck@...el.com" <tony.luck@...el.com>, "rostedt@...dmis.org" <rostedt@...dmis.org>, "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>, "jannh@...gle.com" <jannh@...gle.com>, "keescook@...omium.org" <keescook@...omium.org>, "dcovelli@...are.com" <dcovelli@...are.com>, "mhiramat@...nel.org" <mhiramat@...nel.org> Subject: RE: [PATCH 3/4] x86,module: Detect VMX vs SLD conflicts From: Peter Zijlstra > Sent: 07 April 2020 12:03 > > It turns out that with Split-Lock-Detect enabled (default) any VMX > hypervisor needs at least a little modification in order to not blindly > inject the #AC into the guest without the guest being ready for it. > > Since there is no telling which module implements a hypervisor, scan > all out-of-tree modules' text and look for VMX instructions and refuse > to load it when SLD is enabled (default) and the module isn't marked > 'sld_safe'. ... > + while (text < text_end) { > + kernel_insn_init(&insn, text, text_end - text); > + insn_get_length(&insn); > + > + if (WARN_ON_ONCE(!insn_complete(&insn))) { > + pr_err("Module text malformed: %s\n", mod->name); > + return -ENOEXEC; > + } > + > + if (!allow_vmx && insn_is_vmx(&insn)) { > + pr_err("Module has VMX instructions and is not marked 'sld_safe', boot with: > 'split_lock_detect=off': %s\n", mod->name); > + return -ENOEXEC; > + } > + > + text += insn.length; > + } There is a slight flaw in the above. A malicious module can hide the required instruction by jumping into the middle of a long instruction. Even checking branch targets hit instruction barriers isn't enough, an indirect jump could be used. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
Powered by blists - more mailing lists