| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <X/3UJ7EtyAb2Ww+6@google.com>
Date: Tue, 12 Jan 2021 08:53:59 -0800
From: Sean Christopherson <seanjc@...gle.com>
To: Paolo Bonzini <pbonzini@...hat.com>
Cc: Jim Mattson <jmattson@...gle.com>,
syzbot <syzbot+e87846c48bf72bc85311@...kaller.appspotmail.com>,
Borislav Petkov <bp@...en8.de>,
"H . Peter Anvin" <hpa@...or.com>, Joerg Roedel <joro@...tes.org>,
kvm list <kvm@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
Ingo Molnar <mingo@...hat.com>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
Thomas Gleixner <tglx@...utronix.de>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Wanpeng Li <wanpengli@...cent.com>,
the arch/x86 maintainers <x86@...nel.org>
Subject: Re: UBSAN: shift-out-of-bounds in kvm_vcpu_after_set_cpuid
On Tue, Jan 12, 2021, Paolo Bonzini wrote:
> On 12/01/21 00:01, Sean Christopherson wrote:
> > > Perhaps cpuid_query_maxphyaddr() should just look at the low 5 bits of
> > > CPUID.80000008H:EAX?
>
> The low 6 bits I guess---yes, that would make sense and it would have also
> fixed the bug.
No, that wouldn't have fixed this specific bug. In this case, the issue was
CPUID.80000008H:AL == 0; masking off bits 7:6 wouldn't have changed anything.
And, masking bits 7:6 is architecturally wrong. Both the SDM and APM state that
bits 7:0 contain the number of PA bits.
KVM could reject guest.MAXPA > host.MAXPA, but arbitrarily dropping bits would
be wrong.
Powered by blists - more mailing lists