From: YiFei Zhu <zhuyifei@google.com>
To: qemu-devel@nongnu.org
Cc: Paolo Bonzini <pbonzini@redhat.com>,
Zhao Liu <zhao1.liu@intel.com>,
Richard Henderson <richard.henderson@linaro.org>,
Eduardo Habkost <eduardo@habkost.net>,
qemu-stable@nongnu.org, unvariant.winter@gmail.com,
YiFei Zhu <zhuyifei1999@gmail.com>,
YiFei Zhu <zhuyifei@google.com>
Subject: [PATCH 0/2] i386/tcg: Protect SMM against malicious kernel via IPI & DR
Date: Thu, 25 Sep 2025 10:30:55 +0000 [thread overview]
Message-ID: <cover.1758794468.git.zhuyifei@google.com> (raw)
These two patches are fixing two separate TCG-only SMM vulnerabilities.
Neither of them are reproducible with KVM, and hence are limited to
"Non-virtualization Use Case" [1].
The first patch's bug is found by myself, while developing SMM challenges
for CrewCTF. The second patch's bug is found by unvariant, a participant
of the said CTF.
[1] https://www.qemu.org/docs/master/system/security.html#non-virtualization-use-case
YiFei Zhu (2):
i386/cpu: Prevent delivering SIPI during SMM in TCG mode
i386/tcg/smm_helper: Properly apply DR values on SMM entry / exit
target/i386/cpu.c | 3 ++-
target/i386/tcg/system/smm_helper.c | 10 +++++-----
2 files changed, 7 insertions(+), 6 deletions(-)
--
2.51.0.536.g15c5d4f767-goog
next reply other threads:[~2025-09-25 13:27 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-25 10:30 YiFei Zhu [this message]
2025-09-25 10:30 ` [PATCH 1/2] i386/cpu: Prevent delivering SIPI during SMM in TCG mode YiFei Zhu
2025-10-11 7:19 ` Paolo Bonzini
2025-10-11 7:48 ` YiFei Zhu
2025-09-25 10:30 ` [PATCH 2/2] i386/tcg/smm_helper: Properly apply DR values on SMM entry / exit YiFei Zhu
2025-10-11 7:22 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1758794468.git.zhuyifei@google.com \
--to=zhuyifei@google.com \
--cc=eduardo@habkost.net \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-stable@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=unvariant.winter@gmail.com \
--cc=zhao1.liu@intel.com \
--cc=zhuyifei1999@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.