| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <dde77ed7-3fde-4b81-85be-68db82138454@intel.com> Date: Thu, 15 Jan 2026 08:27:44 -0800 From: Dave Hansen <dave.hansen@...el.com> To: Paolo Bonzini <pbonzini@...hat.com>, Jim Mattson <jmattson@...gle.com>, Sean Christopherson <seanjc@...gle.com> Cc: linux-kernel@...r.kernel.org, kvm@...r.kernel.org, x86@...nel.org, stable@...r.kernel.org Subject: Re: [PATCH 1/4] x86/fpu: Clear XSTATE_BV[i] in save state whenever XFD[i]=1 On 1/15/26 08:12, Paolo Bonzini wrote: ... >> I'm _sure_ they discussed tying XFD[i] and XINUSE[i] together and there >> was a good reason they did not. > > Is there anything that prevents an SMM handler (or more likely, an SMI > transfer monitor) to do an XSAVE/XRSTOR and destroy tile data? I think you're saying: let's assume XFD[18]=1 and XINUSE[18]=1 and there's an SMI. The SMI handler does: XSAVE(RFBM=-1, &buf) ... run some gunk XRSTOR(RFBM=-1, &buf) to try and save everything. But, that XSAVE is subject to this behavior from the SDM: If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i, the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1; instead, it operates as if XINUSE[i] = 0 (and the state component was in its initial state) So 'buf' will end up having XFEATURES[18]=0. The XRSTOR will see XFEATURES[18]=0 and set feature 18 to its init state, effectively zapping its contents. I guess the only thing preventing that in practice is the lack of XSAVE use in SMM handlers. But I see your point.
Powered by blists - more mailing lists