lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 24 Mar 2023 11:34:28 -0700
From:   Mingwei Zhang <mizhang@...gle.com>
To:     Sean Christopherson <seanjc@...gle.com>
Cc:     linux-kernel@...r.kernel.org,
        Lai Jiangshan <jiangshanlai@...il.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Lai Jiangshan <jiangshan.ljs@...group.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
        "H. Peter Anvin" <hpa@...or.com>, kvm@...r.kernel.org
Subject: Re: [PATCH] kvm: x86/mmu: Simplify pte_list_{add|remove}

On Thu, Mar 23, 2023 at 3:51 PM Sean Christopherson <seanjc@...gle.com> wrote:
>
> On Fri, 13 Jan 2023 20:29:10 +0800, Lai Jiangshan wrote:
> > Simplify pte_list_{add|remove} by ensuring all the non-head pte_list_desc
> > to be full and addition/removal actions being performed on the head.
> >
> > To make pte_list_add() return a count as before, @tail_count is also
> > added to the struct pte_list_desc.
> >
> > No visible performace is changed in tests.  But pte_list_add() is no longer
> > shown in the perf result for the COWed pages even the guest forks millions
> > of tasks.
> >
> > [...]
>
> Applied to kvm-x86 mmu, thanks!  I added quite a few comments and a BUG_ON() to
> sanity check that the head is never empty when trying to remove an entry, but I
> didn't make anything changes to the code itself.
>
> [1/1] kvm: x86/mmu: Simplify pte_list_{add|remove}
>       https://github.com/kvm-x86/linux/commit/141705b78381
>

I am not sure if it is possible, but now spte_count is u32 so does
tail_count. I wonder if an attacker could use the potential integer
overflow to trigger this? E.g,: creating a huge number of little L1
EPTs with the many nGPA-> one GPA? hmm, I think it could overflow
tail_count? Please double check.

spte_count is u32, but assigned to an (signed) int j and BUG_ON(j <
0)? Please don't add more BUG_ON in KVM mmu... and please change
either 'spte_count' to 'int' or 'j' to u32.

In general, please, no BUG_ON(), at least no more BUG_ON() on our nested MMU...

Please take a second thought on this one before merge!

Thanks.

-Mingwei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ