[Bug 53871] New: nVMX: Can malicious L2 kill L1?

public inbox for kvm@vger.kernel.org
 help / color / mirror / Atom feed

* [Bug 53871] New: nVMX: Can malicious L2 kill L1?
@ 2013-02-14 15:22 bugzilla-daemon
  2013-02-14 15:22 ` [Bug 53871] " bugzilla-daemon
  2015-03-17  3:53 ` bugzilla-daemon
  0 siblings, 2 replies; 3+ messages in thread
From: bugzilla-daemon @ 2013-02-14 15:22 UTC (permalink / raw)
  To: kvm

https://bugzilla.kernel.org/show_bug.cgi?id=53871

           Summary: nVMX: Can malicious L2 kill L1?
           Product: Virtualization
           Version: unspecified
          Platform: All
        OS/Version: Linux
              Tree: Mainline
            Status: NEW
          Severity: low
          Priority: P1
         Component: kvm
        AssignedTo: virtualization_kvm@kernel-bugs.osdl.org
        ReportedBy: nyh@math.technion.ac.il
        Regression: No


This is a thought-experiment bug - I haven't seen it happen in practice, so
maybe it's not a bug, but it's worth investigating.

There are, I think, places cases where KVM decides that the guest is buggy or
malicious so it aborts this guest. But because KVM is not aware that L1 and
several L2 (nested guests) are all pretending to be one guest (one vcpu) - this
might mean that a buggy or malicious L2 can kill an entire L1, not just this
L2.

A potential example of this problem is this (I'm not sure it's actually correct
- I just thought of this a long time ago and didn't recheck the details now):
In the original nested VMX submission, After L2 changed cr3, kvm_mmu_load() was
called to realize immediately that L2 did something bad and only it should be
aborted. But after a review, this test was removed, so the code now waits till
later, and when it later sees it can't kvm_mmu_load() I think it kills the
entire vcpu - L1 and all its L2s.

-- 
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug 53871] nVMX: Can malicious L2 kill L1?
  2013-02-14 15:22 [Bug 53871] New: nVMX: Can malicious L2 kill L1? bugzilla-daemon
@ 2013-02-14 15:22 ` bugzilla-daemon
  2015-03-17  3:53 ` bugzilla-daemon
  1 sibling, 0 replies; 3+ messages in thread
From: bugzilla-daemon @ 2013-02-14 15:22 UTC (permalink / raw)
  To: kvm

https://bugzilla.kernel.org/show_bug.cgi?id=53871


Nadav Har'El <nyh@math.technion.ac.il> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |53601




-- 
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug 53871] nVMX: Can malicious L2 kill L1?
  2013-02-14 15:22 [Bug 53871] New: nVMX: Can malicious L2 kill L1? bugzilla-daemon
  2013-02-14 15:22 ` [Bug 53871] " bugzilla-daemon
@ 2015-03-17  3:53 ` bugzilla-daemon
  1 sibling, 0 replies; 3+ messages in thread
From: bugzilla-daemon @ 2015-03-17  3:53 UTC (permalink / raw)
  To: kvm

https://bugzilla.kernel.org/show_bug.cgi?id=53871

Bandan Das <bsd@makefile.in> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |94971

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2015-03-17  3:54 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-02-14 15:22 [Bug 53871] New: nVMX: Can malicious L2 kill L1? bugzilla-daemon
2013-02-14 15:22 ` [Bug 53871] " bugzilla-daemon
2015-03-17  3:53 ` bugzilla-daemon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox