lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZDScAeHJKrZK7KAp@google.com>
Date:   Mon, 10 Apr 2023 16:30:09 -0700
From:   Sean Christopherson <seanjc@...gle.com>
To:     Mathias Krause <minipli@...ecurity.net>
Cc:     Paolo Bonzini <pbonzini@...hat.com>, kvm@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] KVM: x86/mmu: Refresh CR0.WP prior to checking for
 emulated permission faults

On Wed, Apr 05, 2023, Mathias Krause wrote:
> On 05.04.23 02:26, Sean Christopherson wrote:
> > If CR0.WP may be guest-owned, i.e. TDP is enabled, refresh the MMU's
> > snapshot of the guest's CR0.WP prior to checking for permission faults
> > when emulating a guest memory access.  If the guest toggles only CR0.WP
> > and triggers emulation of a supervisor write, e.g. when KVM is emulating
> > UMIP, KVM may consume a stale CR0.WP, i.e. use stale protection bits
> > metadata.
> 
> This reads a little awkward for a non-native speaker.

Heh, I don't think being a non-native English speaker has anything to do with it
being awkward, I also found it confusing when I reread it :-)

I rewrote the changelog to the below when applying.  Holler if it's still weird,
I can easily fixup and force push the changelog.

Thanks!

    Refresh the MMU's snapshot of the vCPU's CR0.WP prior to checking for
    permission faults when emulating a guest memory access and CR0.WP may be
    guest owned.  If the guest toggles only CR0.WP and triggers emulation of
    a supervisor write, e.g. when KVM is emulating UMIP, KVM may consume a
    stale CR0.WP, i.e. use stale protection bits metadata.
    
    Note, KVM passes through CR0.WP if and only if EPT is enabled as CR0.WP
    is part of the MMU role for legacy shadow paging, and SVM (NPT) doesn't
    support per-bit interception controls for CR0.  Don't bother checking for
    EPT vs. NPT as the "old == new" check will always be true under NPT, i.e.
    the only cost is the read of vcpu->arch.cr4 (SVM unconditionally grabs CR0
    from the VMCB on VM-Exit).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ