[PATCH] KVM: x86: zero IDT limit on entry to SMM

kvm.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] KVM: x86: zero IDT limit on entry to SMM
@ 2015-08-07 10:54 Paolo Bonzini
  2015-08-10 15:31 ` Radim Krčmář
  0 siblings, 1 reply; 2+ messages in thread
From: Paolo Bonzini @ 2015-08-07 10:54 UTC (permalink / raw)
  To: linux-kernel, kvm; +Cc: rkrcmar, dgilbert

The recent BlackHat 2015 presentation "The Memory Sinkhole"
mentions that the IDT limit is zeroed on entry to SMM.

This is not documented, and must have changed some time after 2010
(see http://www.ssi.gouv.fr/uploads/IMG/pdf/IT_Defense_2010_final.pdf).
KVM was not doing it, but the fix is easy.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 arch/x86/kvm/x86.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 5ef2560075bf..c5e88a881899 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6327,6 +6327,7 @@ static void process_smi_save_state_64(struct kvm_vcpu *vcpu, char *buf)
 static void process_smi(struct kvm_vcpu *vcpu)
 {
 	struct kvm_segment cs, ds;
+	struct desc_ptr dt;
 	char buf[512];
 	u32 cr0;
 
@@ -6359,6 +6360,10 @@ static void process_smi(struct kvm_vcpu *vcpu)
 
 	kvm_x86_ops->set_cr4(vcpu, 0);
 
+	/* Undocumented: IDT limit is set to zero on entry to SMM.  */
+	dt.address = dt.size = 0;
+	kvm_x86_ops->set_idt(vcpu, &dt);
+
 	__kvm_set_dr(vcpu, 7, DR7_FIXED_1);
 
 	cs.selector = (vcpu->arch.smbase >> 4) & 0xffff;
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] KVM: x86: zero IDT limit on entry to SMM
  2015-08-07 10:54 [PATCH] KVM: x86: zero IDT limit on entry to SMM Paolo Bonzini
@ 2015-08-10 15:31 ` Radim Krčmář
  0 siblings, 0 replies; 2+ messages in thread
From: Radim Krčmář @ 2015-08-10 15:31 UTC (permalink / raw)
  To: Paolo Bonzini; +Cc: linux-kernel, kvm, dgilbert

2015-08-07 12:54+0200, Paolo Bonzini:
> The recent BlackHat 2015 presentation "The Memory Sinkhole"
> mentions that the IDT limit is zeroed on entry to SMM.

Slide 64 of
https://www.blackhat.com/docs/us-15/materials/us-15-Domas-The-Memory-Sinkhole-Unleashing-An-x86-Design-Flaw-Allowing-Universal-Privilege-Escalation.pdf

> This is not documented, and must have changed some time after 2010
> (see http://www.ssi.gouv.fr/uploads/IMG/pdf/IT_Defense_2010_final.pdf).
> KVM was not doing it, but the fix is easy.

This patch also clears the IDT base.  Fetching original IDT is better
done from SMM saved state (and an anti-exploit based on comparing those
two seems unlikely) so it should be fine,

Reviewed-by: Radim Krčmář <rkrcmar@redhat.com>

> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---

That takes care of Attack 1.
KVM is likely not vulnerable to attack 2 and 3 because of an emergent
security feature.  (A simple modification of kvm-unit-tests show that
mapping APIC base on top of real code/data makes the APIC page hidden
and I expect SMM memslot to behave similarly.)

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-08-10 15:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-08-07 10:54 [PATCH] KVM: x86: zero IDT limit on entry to SMM Paolo Bonzini
2015-08-10 15:31 ` Radim Krčmář

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).