lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <161039249026.414.12255461373156299431.tip-bot2@tip-bot2>
Date:   Mon, 11 Jan 2021 19:14:50 -0000
From:   "tip-bot2 for Hyunwook (Wooky) Baek" <tip-bot2@...utronix.de>
To:     linux-tip-commits@...r.kernel.org
Cc:     "Hyunwook (Wooky) Baek" <baekhw@...gle.com>,
        Borislav Petkov <bp@...e.de>,
        David Rientjes <rientjes@...gle.com>, x86@...nel.org,
        linux-kernel@...r.kernel.org
Subject: [tip: x86/urgent] x86/sev-es: Handle string port IO to kernel memory properly

The following commit has been merged into the x86/urgent branch of tip:

Commit-ID:     7024f60d655272bd2ca1d3a4c9e0a63319b1eea1
Gitweb:        https://git.kernel.org/tip/7024f60d655272bd2ca1d3a4c9e0a63319b1eea1
Author:        Hyunwook (Wooky) Baek <baekhw@...gle.com>
AuthorDate:    Sat, 09 Jan 2021 23:11:02 -08:00
Committer:     Borislav Petkov <bp@...e.de>
CommitterDate: Mon, 11 Jan 2021 20:01:52 +01:00

x86/sev-es: Handle string port IO to kernel memory properly

Don't assume dest/source buffers are userspace addresses when manually
copying data for string I/O or MOVS MMIO, as {get,put}_user() will fail
if handed a kernel address and ultimately lead to a kernel panic.

When invoking INSB/OUTSB instructions in kernel space in a
SEV-ES-enabled VM, the kernel crashes with the following message:

  "SEV-ES: Unsupported exception in #VC instruction emulation - can't continue"

Handle that case properly.

 [ bp: Massage commit message. ]

Fixes: f980f9c31a92 ("x86/sev-es: Compile early handler code into kernel image")
Signed-off-by: Hyunwook (Wooky) Baek <baekhw@...gle.com>
Signed-off-by: Borislav Petkov <bp@...e.de>
Acked-by: David Rientjes <rientjes@...gle.com>
Link: https://lkml.kernel.org/r/20210110071102.2576186-1-baekhw@google.com
---
 arch/x86/kernel/sev-es.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/arch/x86/kernel/sev-es.c b/arch/x86/kernel/sev-es.c
index 0bd1a0f..ab31c34 100644
--- a/arch/x86/kernel/sev-es.c
+++ b/arch/x86/kernel/sev-es.c
@@ -286,6 +286,12 @@ static enum es_result vc_write_mem(struct es_em_ctxt *ctxt,
 	u16 d2;
 	u8  d1;
 
+	/* If instruction ran in kernel mode and the I/O buffer is in kernel space */
+	if (!user_mode(ctxt->regs) && !access_ok(target, size)) {
+		memcpy(dst, buf, size);
+		return ES_OK;
+	}
+
 	switch (size) {
 	case 1:
 		memcpy(&d1, buf, 1);
@@ -335,6 +341,12 @@ static enum es_result vc_read_mem(struct es_em_ctxt *ctxt,
 	u16 d2;
 	u8  d1;
 
+	/* If instruction ran in kernel mode and the I/O buffer is in kernel space */
+	if (!user_mode(ctxt->regs) && !access_ok(s, size)) {
+		memcpy(buf, src, size);
+		return ES_OK;
+	}
+
 	switch (size) {
 	case 1:
 		if (get_user(d1, s))

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ