Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20200130181637.GC29347@mbp>
Date: Thu, 30 Jan 2020 18:16:37 +0000
From: Catalin Marinas <catalin.marinas@....com>
To: oss-security@...ts.openwall.com
Subject: Linux kernel: arm64/KVM debug registers vulnerability

Hi,

A bug has been fixed in the arm64 KVM port (commit id
4942dc6638b07b5326b6d2faa142635c559e7cd5 "KVM: arm64: Write
arch.mdcr_el2 changes since last vcpu_load on VHE") which would allow a
guest to access the debug/PMU registers used by the host without being
trapped. This can only happen during the vCPU start until the first
preemption. Systems with an ARMv8.1 or later CPU are affected (with the
Virtualisation Host Extensions).

The implications are that a guest, for a brief period, may be able to
read event counters belonging to the host or potentially trigger
perf-related IRQs in the host.

A more detailed description of the fix from the commit log [1]:

    KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE

    On VHE systems arch.mdcr_el2 is written to mdcr_el2 at vcpu_load time to
    set options for self-hosted debug and the performance monitors
    extension.

    Unfortunately the value of arch.mdcr_el2 is not calculated until
    kvm_arm_setup_debug() in the run loop after the vcpu has been loaded.
    This means that the initial brief iterations of the run loop use a zero
    value of mdcr_el2 - until the vcpu is preempted. This also results in a
    delay between changes to vcpu->guest_debug taking effect.

    Fix this by writing to mdcr_el2 in kvm_arm_setup_debug() on VHE systems
    when a change to arch.mdcr_el2 has been detected.

No CVE ID has been assigned to this bug.

-- 
Catalin

[1] https://git.kernel.org/linus/4942dc6638b07b5326b6d2faa142635c559e7cd5

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.