lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 19 Jul 2022 22:16:11 +0200
From:   Peter Zijlstra <peterz@...radead.org>
To:     "Michael Kelley (LINUX)" <mikelley@...rosoft.com>
Cc:     Andrew Cooper <Andrew.Cooper3@...rix.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        LKML <linux-kernel@...r.kernel.org>,
        "x86@...nel.org" <x86@...nel.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Tim Chen <tim.c.chen@...ux.intel.com>,
        Josh Poimboeuf <jpoimboe@...nel.org>,
        Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
        Johannes Wikner <kwikner@...z.ch>,
        Alyssa Milburn <alyssa.milburn@...ux.intel.com>,
        Jann Horn <jannh@...gle.com>, "H.J. Lu" <hjl.tools@...il.com>,
        Joao Moreira <joao.moreira@...el.com>,
        Joseph Nuzman <joseph.nuzman@...el.com>,
        Steven Rostedt <rostedt@...dmis.org>,
        Juergen Gross <jgross@...e.com>,
        Masami Hiramatsu <mhiramat@...nel.org>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        KY Srinivasan <kys@...rosoft.com>,
        Haiyang Zhang <haiyangz@...rosoft.com>,
        Stephen Hemminger <sthemmin@...rosoft.com>,
        Wei Liu <wei.liu@...nel.org>, Dexuan Cui <decui@...rosoft.com>
Subject: Re: Virt Call depth tracking mitigation

On Tue, Jul 19, 2022 at 02:45:40PM +0000, Michael Kelley (LINUX) wrote:

> In Hyper-V, the hypercall page is *not* writable by the guest.  Quoting
> from Section 3.13 in the Hyper-V TLFS:
> 
>     The hypercall page appears as an "overlay" to the GPA space; that is,
>     it covers whatever else is mapped to the GPA range. Its contents are
>     readable and executable by the guest. Attempts to write to the
>     hypercall page will result in a protection (#GP) exception.
> 
> And:
> 
>     After the interface has been established, the guest can initiate a
>     hypercall. To do so, it populates the registers per the hypercall protocol
>     and issues a CALL to the beginning of the hypercall page. The guest
>     should assume the hypercall page performs the equivalent of a near
>     return (0xC3) to return to the caller.  As such, the hypercall must be
>     invoked with a valid stack.

I'm hoping that these days you're following that 0xc3 with a 0xcc at the
very least ?

IIRC the whole hyper-v thing is negotiated using (virtual) MSRs, would
it be possible to write the address of a return thunk into an MSR and
have the hypervisor rewrite the hypercall page accordingly?

This is needed for the AMD jmp2ret thing anyway. Or you get to eat an
IBPB before every hypercall, which I'm guessing your performance people
aren't keen on.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ