|
Message-ID: <CALCETrXb4H5qa1o9qbC=+VJ+y6PGdoO-XWV3QNtNxkwCWC2ZTw@mail.gmail.com> Date: Tue, 08 May 2018 17:38:28 +0000 From: Andy Lutomirski <luto@...nel.org> To: oss security list <oss-security@...ts.openwall.com> Subject: CVE-2018-1087: KVM incorrectly handles #DB exceptions while deferred by MOV SS/POP SS On x86, MOV SS and POP SS behave strangely if they encounter a data breakpoint. If this occurs in a KVM guest, KVM incorrectly thinks that a #DB instruction was caused by the undocumented ICEBP instruction. This results in #DB being delivered to the guest kernel with an incorrect RIP on the stack. On most guest kernels, this will allow a guest user to DoS the guest kernel or even to escalate privilege to that of the guest kernel. Fixed upstream by commit 32d43cd391ba ("kvm/x86: fix icebp instruction handling"). If you are running a guest OS that runs untrusted userspace code and you are forced to run on an unpatched host, you may be able to mitigate this issue by inserting 15 consecutive NOP instructions in your SYSCALL64 and SYSCALL32 entry points as well as in your IDT vectors 3 and 4. I am hesitant to submit such a patch for upstream Linux, since the bug is clearly a KVM bug and is now fixed. Discovered by me. A PoC can be found here: https://lkml.kernel.org/r/67e08b69817171da8026e0eb3af0214b06b4d74f.1525800455.git.luto@kernel.org/67e08b69817171da8026e0eb3af0214b06b4d74f.1525800455.git.luto@kernel.org Thank you to Paolo Bonzini and Linus Torvalds for handling most of the technical bits of this bug.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.