From: David Woodhouse <dwmw2@infradead.org>
To: Sean Christopherson <seanjc@google.com>,
Paolo Bonzini <pbonzini@redhat.com>, Paul Durrant <paul@xen.org>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot+cdeaeec70992eca2d920@syzkaller.appspotmail.com,
Joao Martins <joao.m.martins@oracle.com>
Subject: Re: [PATCH 1/5] KVM: x86/xen: Restrict hypercall MSR to unofficial synthetic range
Date: Thu, 06 Feb 2025 16:51:17 +0000 [thread overview]
Message-ID: <2ca93bb7f577e206226e7201741ec832a45d226a.camel@infradead.org> (raw)
In-Reply-To: <20250201011400.669483-2-seanjc@google.com>
[-- Attachment #1: Type: text/plain, Size: 2603 bytes --]
On Fri, 2025-01-31 at 17:13 -0800, Sean Christopherson wrote:
> Reject userspace attempts to set the Xen hypercall page MSR to an index
> outside of the "standard" virtualization range [0x40000000, 0x4fffffff],
> as KVM is not equipped to handle collisions with real MSRs, e.g. KVM
> doesn't update MSR interception, conflicts with VMCS/VMCB fields, special
> case writes in KVM, etc.
>
> Allowing userspace to redirect any MSR write can also be used to attack
> the kernel, as kvm_xen_write_hypercall_page() takes multiple locks and
> writes to guest memory. E.g. if userspace sets the MSR to MSR_IA32_XSS,
> KVM's write to MSR_IA32_XSS during vCPU creation will trigger an SRCU
> violation due to writing guest memory:
>
> =============================
> WARNING: suspicious RCU usage
> 6.13.0-rc3
> -----------------------------
> include/linux/kvm_host.h:1046 suspicious rcu_dereference_check() usage!
>
> stack backtrace:
> CPU: 6 UID: 1000 PID: 1101 Comm: repro Not tainted 6.13.0-rc3
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
> Call Trace:
> <TASK>
> dump_stack_lvl+0x7f/0x90
> lockdep_rcu_suspicious+0x176/0x1c0
> kvm_vcpu_gfn_to_memslot+0x259/0x280
> kvm_vcpu_write_guest+0x3a/0xa0
> kvm_xen_write_hypercall_page+0x268/0x300
> kvm_set_msr_common+0xc44/0x1940
> vmx_set_msr+0x9db/0x1fc0
> kvm_vcpu_reset+0x857/0xb50
> kvm_arch_vcpu_create+0x37e/0x4d0
> kvm_vm_ioctl+0x669/0x2100
> __x64_sys_ioctl+0xc1/0xf0
> do_syscall_64+0xc5/0x210
> entry_SYSCALL_64_after_hwframe+0x4b/0x53
> RIP: 0033:0x7feda371b539
>
> While the MSR index isn't strictly ABI, i.e. can theoretically float to
> any value, in practice no known VMM sets the MSR index to anything other
> than 0x40000000 or 0x40000200.
>
> Reported-by: syzbot+cdeaeec70992eca2d920@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/679258d4.050a0220.2eae65.000a.GAE@google.com
> Cc: Joao Martins <joao.m.martins@oracle.com>
> Cc: Paul Durrant <paul@xen.org>
> Cc: David Woodhouse <dwmw@amazon.co.uk>
> Signed-off-by: Sean Christopherson <seanjc@google.com>
With macros for the magic numbers as discussed (and a corresponding
update to the documentation), and with the Reported-by: and Closes:
tags dropped because they should move to the commit which makes the
hypercall page only trigger for !host_initiated writes and resolves it
in a more future-proof way for the general case,
Reviewed-by: David Woodhouse <dwmw@amazon.co.uk>
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5069 bytes --]
next prev parent reply other threads:[~2025-02-06 16:51 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-01 1:13 [PATCH 0/5] KVM: x86/xen: Restrict hypercall MSR index Sean Christopherson
2025-02-01 1:13 ` [PATCH 1/5] KVM: x86/xen: Restrict hypercall MSR to unofficial synthetic range Sean Christopherson
2025-02-03 9:09 ` Paul Durrant
2025-02-05 9:27 ` David Woodhouse
2025-02-05 15:06 ` Sean Christopherson
2025-02-05 15:26 ` David Woodhouse
2025-02-05 15:51 ` Sean Christopherson
2025-02-05 16:18 ` David Woodhouse
2025-02-05 17:15 ` David Woodhouse
2025-02-05 19:20 ` Sean Christopherson
2025-02-06 18:58 ` David Woodhouse
2025-02-07 17:18 ` Sean Christopherson
2025-02-06 9:18 ` David Woodhouse
2025-02-06 16:51 ` David Woodhouse [this message]
2025-02-01 1:13 ` [PATCH 2/5] KVM: x86/xen: Add an #ifdef'd helper to detect writes to Xen MSR Sean Christopherson
2025-02-03 9:09 ` Paul Durrant
2025-02-06 16:28 ` David Woodhouse
2025-02-01 1:13 ` [PATCH 3/5] KVM: x86/xen: Consult kvm_xen_enabled when checking for Xen MSR writes Sean Christopherson
2025-02-03 9:15 ` Paul Durrant
2025-02-06 16:29 ` David Woodhouse
2025-02-01 1:13 ` [PATCH 4/5] KVM: x86/xen: Bury xen_hvm_config behind CONFIG_KVM_XEN=y Sean Christopherson
2025-02-03 9:19 ` Paul Durrant
2025-02-06 16:30 ` David Woodhouse
2025-02-01 1:14 ` [PATCH 5/5] KVM: x86/xen: Move kvm_xen_hvm_config field into kvm_xen Sean Christopherson
2025-02-03 9:21 ` Paul Durrant
2025-02-06 16:32 ` David Woodhouse
2025-02-06 19:14 ` [PATCH] KVM: x86/xen: Only write Xen hypercall page for guest writes to MSR David Woodhouse
2025-02-15 0:50 ` Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2ca93bb7f577e206226e7201741ec832a45d226a.camel@infradead.org \
--to=dwmw2@infradead.org \
--cc=joao.m.martins@oracle.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@xen.org \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
--cc=syzbot+cdeaeec70992eca2d920@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).