lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 7 Mar 2022 20:20:19 +0800
From:   Hao Xiang <hao.xiang@...ux.alibaba.com>
To:     chang.seok.bae@...el.com
Cc:     bp@...en8.de, dave.hansen@...ux.intel.com,
        linux-kernel@...r.kernel.org, mingo@...hat.com,
        ravi.v.shankar@...el.com, tglx@...utronix.de, x86@...nel.org,
        yang.zhong@...el.com
Subject: Re: [PATCH v4 1/2] x86/arch_prctl: Fix the ARCH_REQ_XCOMP_PERM
 implementation

x86/arch_prctl: Fix the ARCH_REQ_XCOMP_PERM implementation

If WRITE_ONCE(perm->__state_perm, requested) is modified to
WRITE_ONCE(perm->__state_perm, mask), When the qemu process does not 
request the XFEATURE_MASK_XTILE_DATA xsave state permission, there may 
be a gp error (kvm: kvm_set_xcr line 1091 inject gp fault with cpl 0) 
because __kvm_set_xcr return 1.

static int __kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr){
     ...
     // xcr0 includes XFEATURE_MASK_XTILE_CFG by default.
     if ((xcr0 & XFEATURE_MASK_XTILE) &&
         ((xcr0 & XFEATURE_MASK_XTILE) != XFEATURE_MASK_XTILE))
         return 1;
     ...
}

diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index 02b3dda..2d4363e 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -1636,7 +1636,7 @@ static int __xstate_request_perm(u64 permitted, 
u64 requested, bool guest)

         perm = guest ? &fpu->guest_perm : &fpu->perm;
         /* Pairs with the READ_ONCE() in xstate_get_group_perm() */
-       WRITE_ONCE(perm->__state_perm, requested);
+       WRITE_ONCE(perm->__state_perm, mask);
         /* Protected by sighand lock */
         perm->__state_size = ksize;
         perm->__user_state_size = usize;
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index 494d4d3..e8704568 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -908,6 +908,9 @@ static inline int __do_cpuid_func(struct 
kvm_cpuid_array *array, u32 function)
                 break;
         case 0xd: {
                 u64 permitted_xcr0 = supported_xcr0 & 
xstate_get_guest_group_perm();
+               permitted_xcr0 = ((permitted_xcr0 & 
XFEATURES_MASK_XTILE) != XFEATURES_MASK_XTILE)
+                               ? permitted_xcr0
+                               : permitted_xcr0 & ~XFEATURES_MASK_XTILE;
                 u64 permitted_xss = supported_xss;

                 entry->eax &= permitted_xcr0;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ