lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 10 Aug 2021 11:15:55 +0200
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     Emanuele Giuseppe Esposito <eesposit@...hat.com>,
        kvm@...r.kernel.org
Cc:     Maxim Levitsky <mlevitsk@...hat.com>,
        Sean Christopherson <seanjc@...gle.com>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Wanpeng Li <wanpengli@...cent.com>,
        Jim Mattson <jmattson@...gle.com>,
        Joerg Roedel <joro@...tes.org>, Ingo Molnar <mingo@...hat.com>,
        Borislav Petkov <bp@...en8.de>, x86@...nel.org,
        "H. Peter Anvin" <hpa@...or.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] KVM: nSVM: temporarly save vmcb12's efer, cr0 and cr4
 to avoid TOC/TOU races

On 09/08/21 16:53, Emanuele Giuseppe Esposito wrote:
>   	svm_switch_vmcb(svm, &svm->nested.vmcb02);
> +
> +	/* Save vmcb12's EFER, CR0 and CR4 to avoid TOC/TOU races. */
> +	vmcb12_efer = vmcb12->save.efer;
> +	vmcb12_cr0 = vmcb12->save.cr0;
> +	vmcb12_cr4 = vmcb12->save.cr4;
> +
> +	if (!nested_vmcb_valid_sregs(vcpu, &vmcb12->save, vmcb12_efer,
> +				     vmcb12_cr0, vmcb12_cr4) ||
> +	    !nested_vmcb_check_controls(vcpu, &svm->nested.ctl)) {
> +		vmcb12->control.exit_code    = SVM_EXIT_ERR;
> +		vmcb12->control.exit_code_hi = 0;
> +		vmcb12->control.exit_info_1  = 0;
> +		vmcb12->control.exit_info_2  = 0;
> +		return 1;
> +	}

At this point you have already done a svm_switch_vmcb, so you need to 
undo its effects.  This is indeed what returning 1 achieves.  However, 
if you return 1 then the caller does:

         if (enter_svm_guest_mode(vcpu, vmcb12_gpa, vmcb12)) {
	        svm->nested.nested_run_pending = 0;

	        svm->vmcb->control.exit_code    = SVM_EXIT_ERR;
	        svm->vmcb->control.exit_code_hi = 0;
	        svm->vmcb->control.exit_info_1  = 0;
	        svm->vmcb->control.exit_info_2  = 0;

	        nested_svm_vmexit(svm);
	}

where we have three steps:

1) clearing nested_run_pending is all good

2) setting the exit code is good, but then you don't need to do it in 
enter_svm_guest_mode

3) nested_svm_vmexit is problematic; nested_svm_vmexit copies values 
from VMCB02 to VMCB12 but those have not been set yet 
(nested_vmcb02_prepare_save takes care of it).  The simplest way to fix 
this is to add a bool argument to nested_svm_vmexit, saying whether the 
vmcb12 save area should be updated or not.

Paolo

Powered by blists - more mailing lists