From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C4E1C4332F for ; Wed, 18 May 2022 11:15:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235361AbiERLPA (ORCPT ); Wed, 18 May 2022 07:15:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42686 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235314AbiERLOx (ORCPT ); Wed, 18 May 2022 07:14:53 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4162A16A258 for ; Wed, 18 May 2022 04:14:52 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id EFB73B81E7C for ; Wed, 18 May 2022 11:14:50 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9F4A0C385A5; Wed, 18 May 2022 11:14:48 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="XI9oqW2H" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1652872486; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Za+DQLmt+oUGTeJhfIppqwlsrJRYB67GyeAjlchsa3A=; b=XI9oqW2HtGkL2CyZGV/jzmh5qaRm17/NDKqKx+B02j2hnREx2OejsVPPFnMcRoeY72sLk8 QQF52j0Bg9lanZlVZAXw7+vRsuMpWHQJiRrE6TvVQC813l+XULCt2r9GfAbSUF/EdF88Tv 9JmCOFVzq2Z3rRHyFXXKojNQYCGppMM= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 604e2236 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Wed, 18 May 2022 11:14:46 +0000 (UTC) Date: Wed, 18 May 2022 13:14:40 +0200 From: "Jason A. Donenfeld" To: Thomas Gleixner , Vadim Galitsin Cc: LKML , x86@kernel.org, Filipe Manana , Vadim Galitsin Subject: Re: [patch 0/3] x86/fpu: Prevent FPU state corruption Message-ID: References: <20220501192740.203963477@linutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Vadim, On Wed, May 18, 2022 at 03:02:05AM +0200, Jason A. Donenfeld wrote: > Observation: the problem is definitely related to using the FPU in a > hard IRQ. I wrote a tiny reproducer that should be pretty reliable for testing this, attached below. I think this proves my working theory. Run this in a VirtualBox VM, and then move your mouse around or hit the keyboard, or do something that triggers the add_{input,disk}_randomness() path from a hardirq handler. On my laptop, for example, the trackpoint goes via hardirq, but the touchpad does not. As soon as I move the trackpoint around, the below program prints "XSAVE is borked!". Also, note that this isn't just "corruption" of the guest VM, but also leaking secret contents of the host VM into the guest. So you might really want to make sure VirtualBox issues a fix for this before 5.18, as it's arguably security sensitive. Regards, Jason #include #include #include #include #include int main(int argc, char *argv[]) { int status = 0; for (int i = 0, nproc = sysconf(_SC_NPROCESSORS_ONLN); i < nproc; ++i) { if (!fork()) { prctl(PR_SET_PDEATHSIG, SIGKILL); asm("movq $42, %%rax\n" "movq %%rax, %%xmm0\n" "0:\n" "movq %%xmm0, %%rbx\n" "cmpq %%rax, %%rbx\n" "je 0b\n" : : : "rax", "rbx", "xmm0", "cc"); _exit(77); } } wait(&status); if (WEXITSTATUS(status) == 77) printf("XSAVE is borked!\n"); return 1; }