lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 12 May 2022 15:51:24 +0200
From:   Christian Borntraeger <borntraeger@...ux.ibm.com>
To:     David Hildenbrand <david@...hat.com>,
        Janis Schoetterl-Glausch <scgl@...ux.ibm.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Jonathan Corbet <corbet@....net>,
        Janosch Frank <frankja@...ux.ibm.com>,
        Claudio Imbrenda <imbrenda@...ux.ibm.com>,
        Heiko Carstens <hca@...ux.ibm.com>,
        Vasily Gorbik <gor@...ux.ibm.com>,
        Alexander Gordeev <agordeev@...ux.ibm.com>
Cc:     Sven Schnelle <svens@...ux.ibm.com>, kvm@...r.kernel.org,
        linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-s390@...r.kernel.org
Subject: Re: [PATCH v3 1/2] KVM: s390: Don't indicate suppression on dirtying,
 failing memop



Am 12.05.22 um 15:22 schrieb David Hildenbrand:
> On 12.05.22 15:10, Janis Schoetterl-Glausch wrote:
>> If user space uses a memop to emulate an instruction and that
>> memop fails, the execution of the instruction ends.
>> Instruction execution can end in different ways, one of which is
>> suppression, which requires that the instruction execute like a no-op.
>> A writing memop that spans multiple pages and fails due to key
>> protection may have modified guest memory, as a result, the likely
>> correct ending is termination. Therefore, do not indicate a
>> suppressing instruction ending in this case.
> 
> I think that is possibly problematic handling.
> 
> In TCG we stumbled in similar issues in the past for MVC when crossing
> page boundaries. Failing after modifying the first page already
> seriously broke some user space, because the guest would retry the
> instruction after fixing up the fault reason on the second page: if
> source and destination operands overlap, you'll be in trouble because
> the input parameters already changed.
> 
> For this reason, in TCG we make sure that all accesses are valid before
> starting modifications.
> 
> See target/s390x/tcg/mem_helper.c:do_helper_mvc with access_prepare()
> and friends as an example.
> 
> Now, I don't know how to tackle that for KVM, I just wanted to raise
> awareness that injecting an interrupt after modifying page content is
> possible dodgy and dangerous.

this is really special and only for key protection crossing pages.
Its been done since the 70ies in that way on z/VM. The architecture
is and was always written in a way to allow termination for this
case for hypervisors.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ