From: Sean Christopherson <seanjc@google.com>
To: Lee Jones <lee@kernel.org>
Cc: "gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
Rishabh Bhatnagar <risbhat@amazon.com>,
"stable@vger.kernel.org" <stable@vger.kernel.org>,
Suraj Jitindar Singh <surajjs@amazon.com>,
Mike Bacco <mbacco@amazon.com>, "bp@alien8.de" <bp@alien8.de>,
"mingo@redhat.com" <mingo@redhat.com>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"vkuznets@redhat.com" <vkuznets@redhat.com>,
"wanpengli@tencent.com" <wanpengli@tencent.com>,
"jmattson@google.com" <jmattson@google.com>,
"joro@8bytes.org" <joro@8bytes.org>,
kvm@vger.kernel.org
Subject: Re: [PATCH 0/9] KVM backports to 5.10
Date: Tue, 2 May 2023 13:15:17 -0700 [thread overview]
Message-ID: <ZFFt/ZMqQ1RHnY4e@google.com> (raw)
In-Reply-To: <20230419071711.GA493399@google.com>
On Wed, Apr 19, 2023, Lee Jones wrote:
> On Wed, 21 Sep 2022, gregkh@linuxfoundation.org wrote:
>
> > On Tue, Sep 20, 2022 at 06:19:26PM +0200, gregkh@linuxfoundation.org wrote:
> > > On Tue, Sep 20, 2022 at 03:34:04PM +0000, Bhatnagar, Rishabh wrote:
> > > > Gentle reminder to review this patch series.
> > >
> > > Gentle reminder to never top-post :)
> > >
> > > Also, it's up to the KVM maintainers if they wish to review this or not.
> > > I can't make them care about old and obsolete kernels like 5.10.y. Why
> > > not just use 5.15.y or newer?
> >
> > Given the lack of responses here from the KVM developers, I'll drop this
> > from my mbox and wait for them to be properly reviewed and resend before
> > considering them for a stable release.
>
> KVM maintainers,
>
> Would someone be kind enough to take a look at this for Greg please?
>
> Note that at least one of the patches in this set has been identified as
> a fix for a serious security issue regarding the compromise of guest
> kernels due to the mishandling of flush operations.
A minor note, the security issue is serious _if_ the bug can be exploited, which
as is often the case for KVM, is a fairly big "if". Jann's PoC relied on collusion
between host userspace and the guest kernel, and as Jann called out, triggering
the bug on a !PREEMPT host kernel would be quite difficult in practice.
I don't want to downplay the seriousness of compromising guest security, but CVSS
scores for KVM CVEs almost always fail to account for the multitude of factors in
play. E.g. CVE-2023-30456 also had a score of 7.8, and that bug required disabling
EPT, which pretty much no one does when running untrusted guest code.
In other words, take the purported severity with a grain of salt.
> Please could someone confirm or otherwise that this is relevant for
> v5.10.y and older?
Acked-by: Sean Christopherson <seanjc@google.com>
next prev parent reply other threads:[~2023-05-02 20:15 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-09 18:55 [PATCH 0/9] KVM backports to 5.10 Rishabh Bhatnagar
2022-09-09 18:55 ` [PATCH 1/9] KVM: x86: Ensure PV TLB flush tracepoint reflects KVM behavior Rishabh Bhatnagar
2022-09-09 18:55 ` [PATCH 2/9] KVM: x86: Fix recording of guest steal time / preempted status Rishabh Bhatnagar
2022-09-09 18:55 ` [PATCH 3/9] KVM: Fix steal time asm constraints Rishabh Bhatnagar
2022-09-09 18:55 ` [PATCH 4/9] KVM: x86: Remove obsolete disabling of page faults in kvm_arch_vcpu_put() Rishabh Bhatnagar
2022-09-09 18:55 ` [PATCH 5/9] KVM: x86: do not set st->preempted when going back to user space Rishabh Bhatnagar
2022-09-09 18:55 ` [PATCH 6/9] KVM: x86: do not report a vCPU as preempted outside instruction boundaries Rishabh Bhatnagar
2022-09-09 18:55 ` [PATCH 7/9] KVM: x86: revalidate steal time cache if MSR value changes Rishabh Bhatnagar
2022-09-09 18:55 ` [PATCH 8/9] KVM: x86: do not report preemption if the steal time cache is stale Rishabh Bhatnagar
2022-09-09 18:55 ` [PATCH 9/9] KVM: x86: move guest_pv_has out of user_access section Rishabh Bhatnagar
2022-09-20 15:34 ` [PATCH 0/9] KVM backports to 5.10 Bhatnagar, Rishabh
2022-09-20 16:19 ` gregkh
2022-09-21 8:58 ` gregkh
2023-04-19 7:17 ` Lee Jones
2023-05-02 20:15 ` Sean Christopherson [this message]
2023-05-03 7:34 ` Lee Jones
2023-05-04 1:10 ` gregkh
2023-05-04 16:22 ` Bhatnagar, Rishabh
2023-05-10 13:43 ` Lee Jones
2023-05-03 17:10 ` Allen Pais
-- strict thread matches above, loose matches on Subject: below --
2023-05-10 18:15 Rishabh Bhatnagar
2023-05-15 12:47 ` Greg KH
2022-09-09 18:13 Rishabh Bhatnagar
2022-09-09 18:26 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZFFt/ZMqQ1RHnY4e@google.com \
--to=seanjc@google.com \
--cc=bp@alien8.de \
--cc=gregkh@linuxfoundation.org \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=lee@kernel.org \
--cc=mbacco@amazon.com \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=risbhat@amazon.com \
--cc=stable@vger.kernel.org \
--cc=surajjs@amazon.com \
--cc=tglx@linutronix.de \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.