| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <90640a5d-ff17-4555-adc6-ae9e21e24ebd@citrix.com> Date: Thu, 19 Dec 2024 23:26:30 +0000 From: Andrew Cooper <andrew.cooper3@...rix.com> To: sedat.dilek@...il.com Cc: Juergen Gross <jgross@...e.com>, Peter Zijlstra <peterz@...radead.org>, Sami Tolvanen <samitolvanen@...gle.com>, Jan Beulich <jbeulich@...e.com>, Josh Poimboeuf <jpoimboe@...hat.com>, Linus Torvalds <torvalds@...ux-foundation.org>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Sasha Levin <sashal@...nel.org>, linux-kernel@...r.kernel.org, stable@...r.kernel.org, Kees Cook <kees@...nel.org>, Nathan Chancellor <nathan@...nel.org>, llvm@...ts.linux.dev Subject: Re: [Linux-6.12.y] XEN: CVE-2024-53241 / XSA-466 and Clang-kCFI On 19/12/2024 11:10 pm, Sedat Dilek wrote: > On Thu, Dec 19, 2024 at 6:07 PM Sedat Dilek <sedat.dilek@...il.com> wrote: >> On Thu, Dec 19, 2024 at 5:44 PM Andrew Cooper <andrew.cooper3@...rix.com> wrote: >>> On 19/12/2024 4:14 pm, Sedat Dilek wrote: >>>> Hi, >>>> >>>> Linux v6.12.6 will include XEN CVE fixes from mainline. >>>> >>>> Here, I use Debian/unstable AMD64 and the SLIM LLVM toolchain 19.1.x >>>> from kernel.org. >>>> >>>> What does it mean in ISSUE DESCRIPTION... >>>> >>>> Furthermore, the hypercall page has no provision for Control-flow >>>> Integrity schemes (e.g. kCFI/CET-IBT/FineIBT), and will simply >>>> malfunction in such configurations. >>>> >>>> ...when someone uses Clang-kCFI? >>> The hypercall page has functions of the form: >>> >>> MOV $x, %eax >>> VMCALL / VMMCALL / SYSCALL >>> RET >>> >>> There are no ENDBR instructions, and no prologue/epilogue for hash-based >>> CFI schemes. >>> >>> This is because it's code provided by Xen, not code provided by Linux. >>> >>> The absence of ENDBR instructions will yield #CP when CET-IBT is active, >>> and the absence of hash prologue/epilogue lets the function be used in a >>> type-confused manor that CFI should have caught. >>> >>> ~Andrew >> Thanks for the technical explanation, Andrew. >> >> Hope that helps the folks of "CLANG CONTROL FLOW INTEGRITY SUPPORT". >> >> I am not an active user of XEN in the Linux-kernel but I am willing to >> test when Linux v6.12.6 is officially released and give feedback. >> > https://wiki.xenproject.org/wiki/Testing_Xen#Presence_test > https://wiki.xenproject.org/wiki/Testing_Xen#Commands_for_presence_testing > > # apt install -t unstable xen-utils-4.17 -y > > # xl list > Name ID Mem VCPUs State Time(s) > Domain-0 0 7872 4 r----- 398.2 > > Some basic tests LGTM - see also attached stuff. > > If you have any tests to recommend, let me know. That itself is good enough as a smoke test. Thankyou for trying it out. If you want something a bit more thorough, try https://xenbits.xen.org/docs/xtf/ (Xen's self-tests) Grab and build it, and `./xtf-runner -aqq --host` will run a variety of extra codepaths in dom0, without the effort of making/running full guests. ~Andrew
Powered by blists - more mailing lists