From: Sean Christopherson <seanjc@google.com>
To: Mathias Krause <minipli@grsecurity.net>
Cc: Paolo Bonzini <pbonzini@redhat.com>, kvm@vger.kernel.org
Subject: Re: [PATCH 1/3] KVM: x86: Fix KVM_GET_MSRS stack info leak
Date: Mon, 5 Feb 2024 10:42:35 -0800 [thread overview]
Message-ID: <ZcEsG8ohXfgcYvB0@google.com> (raw)
In-Reply-To: <20240203124522.592778-2-minipli@grsecurity.net>
On Sat, Feb 03, 2024, Mathias Krause wrote:
> Commit 6abe9c1386e5 ("KVM: X86: Move ignore_msrs handling upper the
> stack") changed the 'ignore_msrs' handling, including sanitizing return
> values to the caller. This was fine until commit 12bc2132b15e ("KVM:
> X86: Do the same ignore_msrs check for feature msrs") which allowed
> non-existing feature MSRs to be ignored, i.e. to not generate an error
> on the ioctl() level. It even tried to preserve the sanitization of the
> return value. However, the logic is flawed, as '*data' will be
> overwritten again with the uninitialized stack value of msr.data.
Ugh, what a terrible commit. This makes no sense:
Logically the ignore_msrs and report_ignored_msrs should also apply to feature
MSRs. Add them in.
The whole point of ignore_msrs was so that KVM could run _guest_ code that isn't
aware it's running in a VM, and so attempts to access MSRs that the _guest_ thinks
are always available.
The feature MSRs API is used only by userspace which obviously should know that
it's dealing with KVM. Ignoring bad access from the host is just asinine.
At this point, it's not worth trying to revert that commit, but oof.
> Fix this by simplifying the logic and always initializing msr.data,
> vanishing the need for an additional error exit path.
Out of curiosity, was this found by inspection, or by some other means? I'm quite
surprised none of the sanitizers stumbled across this.
> Fixes: 12bc2132b15e ("KVM: X86: Do the same ignore_msrs check for feature msrs")
I'll apply this for 6.8. I think I'll also throw together a follow-up series to
clean up some of this mess. There's no good reason this code has to be so grossly
fragile.
next prev parent reply other threads:[~2024-02-05 18:42 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-03 12:45 [PATCH 0/3] KVM: x86 - misc fixes Mathias Krause
2024-02-03 12:45 ` [PATCH 1/3] KVM: x86: Fix KVM_GET_MSRS stack info leak Mathias Krause
2024-02-04 1:28 ` Xiaoyao Li
2024-02-05 18:42 ` Sean Christopherson [this message]
2024-02-06 17:52 ` Mathias Krause
2024-02-03 12:45 ` [PATCH 2/3] KVM: x86: Simplify kvm_vcpu_ioctl_x86_get_debugregs() Mathias Krause
2024-02-04 1:05 ` Xiaoyao Li
2024-02-05 19:53 ` Sean Christopherson
2024-02-06 18:15 ` Mathias Krause
2024-02-06 18:24 ` Sean Christopherson
2024-02-06 18:30 ` Mathias Krause
2024-02-06 18:32 ` Mathias Krause
2024-02-03 12:45 ` [PATCH 3/3] KVM: x86: Fix broken debugregs ABI for 32 bit kernels Mathias Krause
2024-02-05 18:46 ` Sean Christopherson
2024-02-06 18:23 ` Mathias Krause
2024-02-05 19:56 ` [PATCH 0/3] KVM: x86 - misc fixes Sean Christopherson
2024-02-06 18:24 ` Mathias Krause
2024-02-06 18:52 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZcEsG8ohXfgcYvB0@google.com \
--to=seanjc@google.com \
--cc=kvm@vger.kernel.org \
--cc=minipli@grsecurity.net \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox