Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALCETrXb4H5qa1o9qbC=+VJ+y6PGdoO-XWV3QNtNxkwCWC2ZTw@mail.gmail.com>
Date: Tue, 08 May 2018 17:38:28 +0000
From: Andy Lutomirski <luto@...nel.org>
To: oss security list <oss-security@...ts.openwall.com>
Subject: CVE-2018-1087: KVM incorrectly handles #DB exceptions while deferred
 by MOV SS/POP SS

On x86, MOV SS and POP SS behave strangely if they encounter a data
breakpoint.  If this occurs in a KVM guest, KVM incorrectly thinks that a
#DB instruction was caused by the undocumented ICEBP instruction.  This
results in #DB being delivered to the guest kernel with an incorrect RIP on
the stack.  On most guest kernels, this will allow a guest user to DoS the
guest kernel or even to escalate privilege to that of the guest kernel.

Fixed upstream by commit 32d43cd391ba ("kvm/x86: fix icebp instruction
handling").

If you are running a guest OS that runs untrusted userspace code and you
are forced to run on an unpatched host, you may be able to mitigate this
issue by inserting 15 consecutive NOP instructions in your SYSCALL64 and
SYSCALL32 entry points as well as in your IDT vectors 3 and 4.  I am
hesitant to submit such a patch for upstream Linux, since the bug is
clearly a KVM bug and is now fixed.

Discovered by me.  A PoC can be found here:

https://lkml.kernel.org/r/67e08b69817171da8026e0eb3af0214b06b4d74f.1525800455.git.luto@kernel.org/67e08b69817171da8026e0eb3af0214b06b4d74f.1525800455.git.luto@kernel.org

Thank you to Paolo Bonzini and Linus Torvalds for handling most of the
technical bits of this bug.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.