lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 8 Sep 2021 00:07:38 +0000
From:   Sean Christopherson <seanjc@...gle.com>
To:     Zhenzhong Duan <zhenzhong.duan@...el.com>
Cc:     kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
        pbonzini@...hat.com, vkuznets@...hat.com, wanpengli@...cent.com,
        jmattson@...gle.com, joro@...tes.org
Subject: Re: [PATCH] KVM: VMX: Fix a TSX_CTRL_CPUID_CLEAR field mask issue

On Mon, Sep 06, 2021, Zhenzhong Duan wrote:
> Host value of TSX_CTRL_CPUID_CLEAR field should be unchangable by guest,
> but the mask for this purpose is set to a wrong value. So it doesn't
> take effect.

It would be helpful to provide a bit more info as to just how bad/boneheaded this
bug is.  E.g.

  When updating the host's mask for its MSR_IA32_TSX_CTRL user return entry,
  clear the mask in the found uret MSR instead of vmx->guest_uret_msrs[i].
  Modifying guest_uret_msrs directly is completely broken as 'i' does not
  point at the MSR_IA32_TSX_CTRL entry.  In fact, it's guaranteed to be an
  out-of-bounds accesses as is always set to kvm_nr_uret_msrs in a prior
  loop.  By sheer dumb luck, the fallout is limited to "only" failing to
  preserve the host's TSX_CTRL_CPUID_CLEAR.  The out-of-bounds access is
  benign as it's guaranteed to clear a bit in a guest MSR value, which are
  always zero at vCPU creation on both x86-64 and i386.   

> Fixes: 8ea8b8d6f869 ("KVM: VMX: Use common x86's uret MSR list as the one true list")

Cc: stable@...r.kernel.org

> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@...el.com>
> ---
>  arch/x86/kvm/vmx/vmx.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> index 927a552393b9..36588b5feee6 100644
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
> @@ -6812,7 +6812,7 @@ static int vmx_create_vcpu(struct kvm_vcpu *vcpu)
>  		 */
>  		tsx_ctrl = vmx_find_uret_msr(vmx, MSR_IA32_TSX_CTRL);
>  		if (tsx_ctrl)
> -			vmx->guest_uret_msrs[i].mask = ~(u64)TSX_CTRL_CPUID_CLEAR;
> +			tsx_ctrl->mask = ~(u64)TSX_CTRL_CPUID_CLEAR;

Egad, that's a horrific oversight on my part.

Reviewed-by: Sean Christopherson <seanjc@...gle.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ