| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9e37bad3-86e2-4093-afd4-a2c2f9873c3a@xen.org> Date: Mon, 3 Feb 2025 09:09:09 +0000 From: Paul Durrant <xadimgnik@...il.com> To: Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini <pbonzini@...hat.com>, David Woodhouse <dwmw2@...radead.org> Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org, syzbot+cdeaeec70992eca2d920@...kaller.appspotmail.com, Joao Martins <joao.m.martins@...cle.com>, David Woodhouse <dwmw@...zon.co.uk> Subject: Re: [PATCH 1/5] KVM: x86/xen: Restrict hypercall MSR to unofficial synthetic range On 01/02/2025 01:13, Sean Christopherson wrote: > Reject userspace attempts to set the Xen hypercall page MSR to an index > outside of the "standard" virtualization range [0x40000000, 0x4fffffff], > as KVM is not equipped to handle collisions with real MSRs, e.g. KVM > doesn't update MSR interception, conflicts with VMCS/VMCB fields, special > case writes in KVM, etc. > > Allowing userspace to redirect any MSR write can also be used to attack > the kernel, as kvm_xen_write_hypercall_page() takes multiple locks and > writes to guest memory. E.g. if userspace sets the MSR to MSR_IA32_XSS, > KVM's write to MSR_IA32_XSS during vCPU creation will trigger an SRCU > violation due to writing guest memory: > > ============================= > WARNING: suspicious RCU usage > 6.13.0-rc3 > ----------------------------- > include/linux/kvm_host.h:1046 suspicious rcu_dereference_check() usage! > > stack backtrace: > CPU: 6 UID: 1000 PID: 1101 Comm: repro Not tainted 6.13.0-rc3 > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 > Call Trace: > <TASK> > dump_stack_lvl+0x7f/0x90 > lockdep_rcu_suspicious+0x176/0x1c0 > kvm_vcpu_gfn_to_memslot+0x259/0x280 > kvm_vcpu_write_guest+0x3a/0xa0 > kvm_xen_write_hypercall_page+0x268/0x300 > kvm_set_msr_common+0xc44/0x1940 > vmx_set_msr+0x9db/0x1fc0 > kvm_vcpu_reset+0x857/0xb50 > kvm_arch_vcpu_create+0x37e/0x4d0 > kvm_vm_ioctl+0x669/0x2100 > __x64_sys_ioctl+0xc1/0xf0 > do_syscall_64+0xc5/0x210 > entry_SYSCALL_64_after_hwframe+0x4b/0x53 > RIP: 0033:0x7feda371b539 > > While the MSR index isn't strictly ABI, i.e. can theoretically float to > any value, in practice no known VMM sets the MSR index to anything other > than 0x40000000 or 0x40000200. > > Reported-by: syzbot+cdeaeec70992eca2d920@...kaller.appspotmail.com > Closes: https://lore.kernel.org/all/679258d4.050a0220.2eae65.000a.GAE@google.com > Cc: Joao Martins <joao.m.martins@...cle.com> > Cc: Paul Durrant <paul@....org> > Cc: David Woodhouse <dwmw@...zon.co.uk> > Signed-off-by: Sean Christopherson <seanjc@...gle.com> > --- > arch/x86/kvm/xen.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > Reviewed-by: Paul Durrant <paul@....org>
Powered by blists - more mailing lists