Date: Thu, 30 Jan 2020 18:16:37 +0000 From: Catalin Marinas <catalin.marinas@....com> To: oss-security@...ts.openwall.com Subject: Linux kernel: arm64/KVM debug registers vulnerability Hi, A bug has been fixed in the arm64 KVM port (commit id 4942dc6638b07b5326b6d2faa142635c559e7cd5 "KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE") which would allow a guest to access the debug/PMU registers used by the host without being trapped. This can only happen during the vCPU start until the first preemption. Systems with an ARMv8.1 or later CPU are affected (with the Virtualisation Host Extensions). The implications are that a guest, for a brief period, may be able to read event counters belonging to the host or potentially trigger perf-related IRQs in the host. A more detailed description of the fix from the commit log : KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE On VHE systems arch.mdcr_el2 is written to mdcr_el2 at vcpu_load time to set options for self-hosted debug and the performance monitors extension. Unfortunately the value of arch.mdcr_el2 is not calculated until kvm_arm_setup_debug() in the run loop after the vcpu has been loaded. This means that the initial brief iterations of the run loop use a zero value of mdcr_el2 - until the vcpu is preempted. This also results in a delay between changes to vcpu->guest_debug taking effect. Fix this by writing to mdcr_el2 in kvm_arm_setup_debug() on VHE systems when a change to arch.mdcr_el2 has been detected. No CVE ID has been assigned to this bug. -- Catalin  https://git.kernel.org/linus/4942dc6638b07b5326b6d2faa142635c559e7cd5
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.