[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2018-1087: KVM incorrectly handles #DB exceptions while deferred by MOV SS/POP SS
From:       Andy Lutomirski <luto () kernel ! org>
Date:       2018-05-08 17:38:28
Message-ID: CALCETrXb4H5qa1o9qbC=+VJ+y6PGdoO-XWV3QNtNxkwCWC2ZTw () mail ! gmail ! com
[Download RAW message or body]

On x86, MOV SS and POP SS behave strangely if they encounter a data
breakpoint.  If this occurs in a KVM guest, KVM incorrectly thinks that a
#DB instruction was caused by the undocumented ICEBP instruction.  This
results in #DB being delivered to the guest kernel with an incorrect RIP on
the stack.  On most guest kernels, this will allow a guest user to DoS the
guest kernel or even to escalate privilege to that of the guest kernel.

Fixed upstream by commit 32d43cd391ba ("kvm/x86: fix icebp instruction
handling").

If you are running a guest OS that runs untrusted userspace code and you
are forced to run on an unpatched host, you may be able to mitigate this
issue by inserting 15 consecutive NOP instructions in your SYSCALL64 and
SYSCALL32 entry points as well as in your IDT vectors 3 and 4.  I am
hesitant to submit such a patch for upstream Linux, since the bug is
clearly a KVM bug and is now fixed.

Discovered by me.  A PoC can be found here:

https://lkml.kernel.org/r/67e08b69817171da8026e0eb3af0214b06b4d74f.1525800455.git.luto@kernel.org/67e08b69817171da8026e0eb3af0214b06b4d74f.1525800455.git.luto@kernel.org


Thank you to Paolo Bonzini and Linus Torvalds for handling most of the
technical bits of this bug.


[prev in list] [next in list] [prev in thread] [next in thread]