| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251030185802.3375059-1-seanjc@google.com>
Date: Thu, 30 Oct 2025 11:58:00 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini <pbonzini@...hat.com>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
Alexander Potapenko <glider@...gle.com>
Subject: [PATCH 0/2] KVM: x86: Fix an FPU+CET splat
Fix a explosion found via syzkaller+KASAN where KVM attempts to "put" an
FPU without first having loading the FPU. The underlying problem is the
ugly hack for dealing with INIT being processed during MP_STATE.
KVM needs to ensure the FPU state is resident in memory in order to clear
MPX and CET state. In most cases, INIT is emulated during KVM_RUN, and so
KVM needs to put the FPU. But for MP_STATE, the FPU doesn't need to be
loaded, and so isn't. Except when KVM predicts that the FPU will be
unloaded. CET enabling updated the "put" path but missed the prediction
logic in MP_STATE.
Rip out the ugly hack and instead do the obvious-in-hindsight thing of
checking if the FPU is loaded (or not). To retain a sanity check, e.g.
that the FPU is loaded as expected during KVM_RUN, WARN if the FPU being
loaded and the vCPU wanting to run aren't equal.
Sean Christopherson (2):
KVM: x86: Unload "FPU" state on INIT if and only if its currently
in-use
KVM: x86: Harden KVM against imbalanced load/put of guest FPU state
arch/x86/kvm/x86.c | 31 +++++++++++++++++++++----------
1 file changed, 21 insertions(+), 10 deletions(-)
base-commit: 4361f5aa8bfcecbab3fc8db987482b9e08115a6a
--
2.51.1.930.gacf6e81ea2-goog
Powered by blists - more mailing lists