| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251113225621.1688428-1-seanjc@google.com>
Date: Thu, 13 Nov 2025 14:56:12 -0800
From: Sean Christopherson <seanjc@...gle.com>
To: Sean Christopherson <seanjc@...gle.com>, Paolo Bonzini <pbonzini@...hat.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>, "K. Y. Srinivasan" <kys@...rosoft.com>,
Haiyang Zhang <haiyangz@...rosoft.com>, Wei Liu <wei.liu@...nel.org>,
Dexuan Cui <decui@...rosoft.com>
Cc: kvm@...r.kernel.org, linux-hyperv@...r.kernel.org,
linux-kernel@...r.kernel.org, Jim Mattson <jmattson@...gle.com>,
Yosry Ahmed <yosry.ahmed@...ux.dev>
Subject: [PATCH 0/9] KVM: SVM: Fix (hilarious) exit_code bugs
Hyper-V folks, y'all are getting Cc'd because of a change in
include/hyperv/hvgdk.h to ensure HV_SVM_EXITCODE_ENL is an unsigned value.
AFAICT, only KVM consumes that macro. That said, any insight you can provide
on relevant Hyper-V behavior would be appreciated :-)
Fix bugs in SVM that mostly impact nested SVM where KVM treats exit codes
as 32-bit values instead of 64-bit values. I have no idea how KVM ended up
with such an egregious flaw, as the blame trail goes all the way back to
commit 6aa8b732ca01 ("[PATCH] kvm: userspace interface"). Maybe there was
pre-production hardware or something?
I'm also fairly surprised no one has noticed, as at least Xen treats exit
codes as 64-bit values. Maybe the only people that run hypervisor tests on
top of KVM are also running KVM, or similarly buggy tests? /shrug
The most dangerous aspect of the mess is that simply fixing KVM would likely
break KVM-on-KVM setups if only L1 is patched. To try and avoid such
breakage while also fixing KVM, I opted to have KVM retain its checks on
only bits 31:0 if KVM is running as a VM (as detected by
X86_FEATURE_HYPERVISOR).
I stumbled on this when trying to resolve a array_index_nospec() build failure
on 32-bit kernels (array_index_nospec() requires the index to fit in an
"unsigned long").
Oh, and I have KUT changes to detect the nSVM bugs.
Because of the potential for breakage, I tagged only the nSVM fixes for
stable@. E.g. I almost botched things by sending this as two separate
series, which would have create a window where svm_invoke_exit_handler()
would process a 64-bit code when running KVM-on-KVM and thus break if L0
KVM left gargage in bits 63:32.
Sean Christopherson (9):
KVM: nSVM: Clear exit_code_hi in VMCB when synthesizing nested
VM-Exits
KVM: nSVM: Set exit_code_hi to -1 when synthesizing SVM_EXIT_ERR
(failed VMRUN)
KVM: SVM: Add a helper to detect VMRUN failures
KVM: SVM: Open code handling of unexpected exits in
svm_invoke_exit_handler()
KVM: SVM: Check for an unexpected VM-Exit after RETPOLINE "fast"
handling
KVM: SVM: Filter out 64-bit exit codes when invoking exit handlers on
bare metal
KVM: SVM: Treat exit_code as an unsigned 64-bit value through all of
KVM
KVM: SVM: Limit incorrect check on SVM_EXIT_ERR to running as a VM
KVM: SVM: Harden exit_code against being used in Spectre-like attacks
arch/x86/include/asm/svm.h | 3 +-
arch/x86/include/uapi/asm/svm.h | 32 ++++++++++-----------
arch/x86/kvm/svm/hyperv.c | 1 -
arch/x86/kvm/svm/nested.c | 29 +++++++------------
arch/x86/kvm/svm/sev.c | 36 ++++++++----------------
arch/x86/kvm/svm/svm.c | 49 +++++++++++++++++++--------------
arch/x86/kvm/svm/svm.h | 17 ++++++++----
arch/x86/kvm/trace.h | 2 +-
include/hyperv/hvgdk.h | 2 +-
9 files changed, 82 insertions(+), 89 deletions(-)
base-commit: 16ec4fb4ac95d878b879192d280db2baeec43272
--
2.52.0.rc1.455.g30608eb744-goog
Powered by blists - more mailing lists