lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 26 Sep 2021 01:43:33 +0000
From:   "Duan, Zhenzhong" <zhenzhong.duan@...el.com>
To:     Sean Christopherson <seanjc@...gle.com>
CC:     "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "pbonzini@...hat.com" <pbonzini@...hat.com>,
        "vkuznets@...hat.com" <vkuznets@...hat.com>,
        "wanpengli@...cent.com" <wanpengli@...cent.com>,
        "jmattson@...gle.com" <jmattson@...gle.com>,
        "joro@...tes.org" <joro@...tes.org>
Subject: RE: [PATCH] KVM: VMX: Fix a TSX_CTRL_CPUID_CLEAR field mask issue

>-----Original Message-----
>From: Sean Christopherson <seanjc@...gle.com>
>Sent: Wednesday, September 8, 2021 8:08 AM
>To: Duan, Zhenzhong <zhenzhong.duan@...el.com>
>Cc: kvm@...r.kernel.org; linux-kernel@...r.kernel.org;
>pbonzini@...hat.com; vkuznets@...hat.com; wanpengli@...cent.com;
>jmattson@...gle.com; joro@...tes.org
>Subject: Re: [PATCH] KVM: VMX: Fix a TSX_CTRL_CPUID_CLEAR field mask
>issue
>
>On Mon, Sep 06, 2021, Zhenzhong Duan wrote:
>> Host value of TSX_CTRL_CPUID_CLEAR field should be unchangable by
>> guest, but the mask for this purpose is set to a wrong value. So it
>> doesn't take effect.
>
>It would be helpful to provide a bit more info as to just how bad/boneheaded
>this bug is.  E.g.
>
>  When updating the host's mask for its MSR_IA32_TSX_CTRL user return entry,
>  clear the mask in the found uret MSR instead of vmx->guest_uret_msrs[i].
>  Modifying guest_uret_msrs directly is completely broken as 'i' does not
>  point at the MSR_IA32_TSX_CTRL entry.  In fact, it's guaranteed to be an
>  out-of-bounds accesses as is always set to kvm_nr_uret_msrs in a prior
>  loop.  By sheer dumb luck, the fallout is limited to "only" failing to
>  preserve the host's TSX_CTRL_CPUID_CLEAR.  The out-of-bounds access is
>  benign as it's guaranteed to clear a bit in a guest MSR value, which are
>  always zero at vCPU creation on both x86-64 and i386.
Sorry for late response, I missed this mail by a wrong mail rule.
Your comment is more clear, I'll use it in v2.

Thanks
Zhenzhong

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ