From: Bandan Das <bsd@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Dan Carpenter" <dan.carpenter@oracle.com>,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Ingo Molnar" <mingo@redhat.com>,
"H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, kvm@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
Date: Thu, 11 May 2017 13:56:47 +0000 [thread overview]
Message-ID: <jpga86j1ops.fsf@linux.bootlegged.copy> (raw)
In-Reply-To: <06746553-466d-101f-1bfc-16dc15ec9487@redhat.com> (Paolo Bonzini's message of "Thu, 11 May 2017 09:31:17 +0200")
Paolo Bonzini <pbonzini@redhat.com> writes:
> On 10/05/2017 22:43, Dan Carpenter wrote:
>> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
>> should be >= or we write beyond the end of the array when we do:
>>
>> pml_address[vmcs12->guest_pml_index--] = gpa;
Actually, we can never write beyond the end when we do
pml_address[vmcs12->guest_pml_index--] = gpa (which happens in the
host hypervisor btw). I think this should be changed.
>> This causes a static checker warning but the runtime impact is minimal.
>> The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
>> buggy hypervisor.
>
> The v1 commit message is better actually. You can always replace
> "buggy" with "malicious".
I agree, they are interchangeable but what's the worst that can happen ?
L1 killing itself ?
Bandan
> It's a 8 byte write and bits 12-45 of the datum are controlled by the
> attacker. It's pretty bad (and embarrassing - I'm not sure why I was
> super-sure that PML_ENTITY_NUM was 511 rather than 512).
>
> Paolo
WARNING: multiple messages have this Message-ID (diff)
From: Bandan Das <bsd@redhat.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: "Dan Carpenter" <dan.carpenter@oracle.com>,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Ingo Molnar" <mingo@redhat.com>,
"H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, kvm@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
Date: Thu, 11 May 2017 09:56:47 -0400 [thread overview]
Message-ID: <jpga86j1ops.fsf@linux.bootlegged.copy> (raw)
In-Reply-To: <06746553-466d-101f-1bfc-16dc15ec9487@redhat.com> (Paolo Bonzini's message of "Thu, 11 May 2017 09:31:17 +0200")
Paolo Bonzini <pbonzini@redhat.com> writes:
> On 10/05/2017 22:43, Dan Carpenter wrote:
>> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
>> should be >= or we write beyond the end of the array when we do:
>>
>> pml_address[vmcs12->guest_pml_index--] = gpa;
Actually, we can never write beyond the end when we do
pml_address[vmcs12->guest_pml_index--] = gpa (which happens in the
host hypervisor btw). I think this should be changed.
>> This causes a static checker warning but the runtime impact is minimal.
>> The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
>> buggy hypervisor.
>
> The v1 commit message is better actually. You can always replace
> "buggy" with "malicious".
I agree, they are interchangeable but what's the worst that can happen ?
L1 killing itself ?
Bandan
> It's a 8 byte write and bits 12-45 of the datum are controlled by the
> attacker. It's pretty bad (and embarrassing - I'm not sure why I was
> super-sure that PML_ENTITY_NUM was 511 rather than 512).
>
> Paolo
next prev parent reply other threads:[~2017-05-11 13:56 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-10 19:43 [PATCH] kvm: nVMX: off by one in vmx_write_pml_buffer() Dan Carpenter
2017-05-10 19:43 ` Dan Carpenter
2017-05-10 20:18 ` Bandan Das
2017-05-10 20:18 ` Bandan Das
2017-05-10 20:43 ` [PATCH v2] " Dan Carpenter
2017-05-10 20:43 ` Dan Carpenter
2017-05-11 7:31 ` Paolo Bonzini
2017-05-11 7:31 ` Paolo Bonzini
2017-05-11 7:42 ` Dan Carpenter
2017-05-11 7:42 ` Dan Carpenter
2017-05-11 7:52 ` Paolo Bonzini
2017-05-11 7:52 ` Paolo Bonzini
2017-05-11 13:56 ` Bandan Das [this message]
2017-05-11 13:56 ` Bandan Das
2017-05-11 15:23 ` Paolo Bonzini
2017-05-11 15:23 ` Paolo Bonzini
2017-05-11 17:06 ` Bandan Das
2017-05-11 17:06 ` Bandan Das
2017-05-16 13:56 ` [PATCH] " Radim Krčmář
2017-05-16 13:56 ` Radim Krčmář
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=jpga86j1ops.fsf@linux.bootlegged.copy \
--to=bsd@redhat.com \
--cc=dan.carpenter@oracle.com \
--cc=hpa@zytor.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=kvm@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.