Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 30 Jan 2020 18:16:37 +0000
From: Catalin Marinas <>
Subject: Linux kernel: arm64/KVM debug registers vulnerability


A bug has been fixed in the arm64 KVM port (commit id
4942dc6638b07b5326b6d2faa142635c559e7cd5 "KVM: arm64: Write
arch.mdcr_el2 changes since last vcpu_load on VHE") which would allow a
guest to access the debug/PMU registers used by the host without being
trapped. This can only happen during the vCPU start until the first
preemption. Systems with an ARMv8.1 or later CPU are affected (with the
Virtualisation Host Extensions).

The implications are that a guest, for a brief period, may be able to
read event counters belonging to the host or potentially trigger
perf-related IRQs in the host.

A more detailed description of the fix from the commit log [1]:

    KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE

    On VHE systems arch.mdcr_el2 is written to mdcr_el2 at vcpu_load time to
    set options for self-hosted debug and the performance monitors

    Unfortunately the value of arch.mdcr_el2 is not calculated until
    kvm_arm_setup_debug() in the run loop after the vcpu has been loaded.
    This means that the initial brief iterations of the run loop use a zero
    value of mdcr_el2 - until the vcpu is preempted. This also results in a
    delay between changes to vcpu->guest_debug taking effect.

    Fix this by writing to mdcr_el2 in kvm_arm_setup_debug() on VHE systems
    when a change to arch.mdcr_el2 has been detected.

No CVE ID has been assigned to this bug.



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.