From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Liran Alon <liran.alon@oracle.com>
Cc: Marios Pomonis <pomonis@google.com>,
Paolo Bonzini <pbonzini@redhat.com>,
rkrcmar@redhat.com, Vitaly Kuznetsov <vkuznets@redhat.com>,
Wanpeng Li <wanpengli@tencent.com>,
Jim Mattson <jmattson@google.com>, Joerg Roedel <joro@8bytes.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
"H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, kvm@vger.kernel.org,
linux-kernel@vger.kernel.org, Nick Finco <nifi@google.com>,
Andrew Honig <ahonig@google.com>
Subject: Re: [PATCH] KVM: x86: Extend Spectre-v1 mitigation
Date: Fri, 22 Nov 2019 14:19:55 -0800 [thread overview]
Message-ID: <20191122221955.GI31235@linux.intel.com> (raw)
In-Reply-To: <1ADDE0A8-40F1-4642-B8CC-8DE38609DC10@oracle.com>
On Sat, Nov 23, 2019 at 12:03:27AM +0200, Liran Alon wrote:
>
> > On 22 Nov 2019, at 20:40, Marios Pomonis <pomonis@google.com> wrote:
> > @@ -5828,6 +5836,8 @@ static int vmx_handle_exit(struct kvm_vcpu *vcpu)
> > {
> > struct vcpu_vmx *vmx = to_vmx(vcpu);
> > u32 exit_reason = vmx->exit_reason;
> > + u32 bounded_exit_reason = array_index_nospec(exit_reason,
> > + kvm_vmx_max_exit_handlers);
>
> Unlike the rest of this patch changes, exit_reason is not attacker-controllable.
> Therefore, I don’t think we need this change to vmx_handle_exit().
I waffled on this one too. Theoretically, if an attacker finds a way to
trigger a VM-Exit that isn't yet known to KVM, and coordinates across
userspace and guest to keep rerunning the attack in the guest instead of
killing the VM (on the unexpected VM-Exit), then exit_reason is sort of
under attacker control.
Of course the above scenario would require a bug in KVM, e.g. enable an
unknown enabling/exiting control, or in a CPU, e.g. generate a new VM-Exit
without software opt-in or generate a completely bogus VM-Exit. The
whole thing is pretty far fetched...
prev parent reply other threads:[~2019-11-22 22:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-22 18:40 [PATCH] KVM: x86: Extend Spectre-v1 mitigation Marios Pomonis
2019-11-22 19:45 ` Sean Christopherson
2019-11-22 22:03 ` Liran Alon
2019-11-22 22:19 ` Sean Christopherson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191122221955.GI31235@linux.intel.com \
--to=sean.j.christopherson@intel.com \
--cc=ahonig@google.com \
--cc=bp@alien8.de \
--cc=hpa@zytor.com \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=liran.alon@oracle.com \
--cc=mingo@redhat.com \
--cc=nifi@google.com \
--cc=pbonzini@redhat.com \
--cc=pomonis@google.com \
--cc=rkrcmar@redhat.com \
--cc=tglx@linutronix.de \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.