| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241129095812.GA4298@willie-the-truck> Date: Fri, 29 Nov 2024 09:58:13 +0000 From: Will Deacon <will@...nel.org> To: Quentin Perret <qperret@...gle.com> Cc: Marc Zyngier <maz@...nel.org>, Oliver Upton <oliver.upton@...ux.dev>, Joey Gouly <joey.gouly@....com>, Suzuki K Poulose <suzuki.poulose@....com>, Zenghui Yu <yuzenghui@...wei.com>, Catalin Marinas <catalin.marinas@....com>, linux-arm-kernel@...ts.infradead.org, kvmarm@...ts.linux.dev, linux-kernel@...r.kernel.org Subject: Re: [PATCH] KVM: arm64: Always check the state from hyp_ack_unshare() On Thu, Nov 28, 2024 at 03:44:06PM +0000, Quentin Perret wrote: > There are multiple pKVM memory transitions where the state of a page is > not cross-checked from the completer's PoV for performance reasons. > For example, if a page is PKVM_PAGE_OWNED from the initiator's PoV, > we should be guaranteed by construction that it is PKVM_NOPAGE for > everybody else, hence allowing us to save a page-table lookup. > > When it was introduced, hyp_ack_unshare() followed that logic and bailed > out without checking the PKVM_PAGE_SHARED_BORROWED state in the > hypervisor's stage-1. This was correct as we could safely assume that > all host-initiated shares were directed at the hypervisor at the time. > But with the introduction of other types of shares (e.g. for FF-A or > non-protected guests), it is now very much required to cross check this > state to prevent the host from running __pkvm_host_unshare_hyp() on a > page shared with TZ or a non-protected guest. > > Thankfully, if an attacker were to try this, the hyp_unmap() call from > hyp_complete_unshare() would fail, hence causing to WARN() from > __do_unshare() with the host lock held, which is fatal. But this is > fragile at best, and can hardly be considered a security measure. > > Let's just do the right thing and always check the state from > hyp_ack_unshare(). > > Signed-off-by: Quentin Perret <qperret@...gle.com> > --- > arch/arm64/kvm/hyp/nvhe/mem_protect.c | 3 --- > 1 file changed, 3 deletions(-) > > diff --git a/arch/arm64/kvm/hyp/nvhe/mem_protect.c b/arch/arm64/kvm/hyp/nvhe/mem_protect.c > index caba3e4bd09e..e75374d682f4 100644 > --- a/arch/arm64/kvm/hyp/nvhe/mem_protect.c > +++ b/arch/arm64/kvm/hyp/nvhe/mem_protect.c > @@ -783,9 +783,6 @@ static int hyp_ack_unshare(u64 addr, const struct pkvm_mem_transition *tx) > if (tx->initiator.id == PKVM_ID_HOST && hyp_page_count((void *)addr)) > return -EBUSY; > > - if (__hyp_ack_skip_pgtable_check(tx)) > - return 0; > - Acked-by: Will Deacon <will@...nel.org> I suppose __hyp_ack_skip_pgtable_check() is now quite poorly named, since we only want to use it in cases where the page is PKVM_PAGE_OWNED by the initiator. Hopefully nobody smart tries to add it back here! Will
Powered by blists - more mailing lists