Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20250107220400.GA14382@openwall.com>
Date: Tue, 7 Jan 2025 23:04:00 +0100
From: Solar Designer <solar@...nwall.com>
To: Linfeng Sun <slf@....edu.cn>
Cc: oss-security@...ts.openwall.com
Subject: Re: Linux: general protection fault in __vmx_vcpu_run with nested virtualization

Hi,

Thank you very much for bringing this to oss-security (as it also was on
linux-distros).

On Mon, Jan 06, 2025 at 05:01:49PM +0800, Linfeng Sun wrote:
> A bug has been detected in the Linux kernel's nested virtualization implementation, which 
> can lead to a general protection fault in __vmx_vcpu_run when running a higher 
> version L1 hypervisor kernel on an L0 host kernel version predating the following 
> commit: https://github.com/torvalds/linux/commit/45779be5ced626db836e612e0dc638a1601abcf2

I assume you identified this commit by bisecting?

Do you know / can explain how your PoC triggers this bug?  Where does
the POP SS instruction come from?

Also, in another message (not CC'ed to you) Demi Marie Obenour asked:
"Is this exploitable for anything other than denial of service?"

The corresponding mainline commit is:

commit 6aa5c47c351b22c21205c87977c84809cd015fcf
Author: Michal Luczaj <mhal@...x.co>
Date:   Mon Aug 22 00:06:47 2022 +0200

    KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility

    The emulator checks the wrong variable while setting the CPU
    interruptibility state, the target segment is embedded in the instruction
    opcode, not the ModR/M register.  Fix the condition.

    Signed-off-by: Michal Luczaj <mhal@...x.co>
    Fixes: a5457e7bcf9a ("KVM: emulate: POP SS triggers a MOV SS shadow too")
    Cc: stable@...r.kernel.org
    Link: https://lore.kernel.org/all/20220821215900.1419215-1-mhal@rbox.co
    Signed-off-by: Sean Christopherson <seanjc@...gle.com>

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index f092c54d1a2f..08dbcff4045a 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1953,7 +1953,7 @@ static int em_pop_sreg(struct x86_emulate_ctxt *ctxt)
        if (rc != X86EMUL_CONTINUE)
                return rc;
 
-       if (ctxt->modrm_reg == VCPU_SREG_SS)
+       if (seg == VCPU_SREG_SS)
                ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
        if (ctxt->op_bytes > 2)
                rsp_increment(ctxt, ctxt->op_bytes - 2);

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.