CVE Request: Linux kernel unprivileged denial-of-service due to mis-protected xsave/xrstor instructions.

[Quentin Casasnovas <quentin.casasnovas () oracle com>]

Hi,

Jamie and I discovered there was a flaw in the way the xsave/xrstor (and
their alternative instructions) were being protected against a fault in
kernel space from linux 3.15.  The problem was introduced in commit f31a9f7
("x86/xsaves: Use xsaves/xrstors to save and restore xsave area") which
ends up protecting the .altinstr_replacement from faulting instead of the
target of the alternative in .text, leaving the instruction un-protected.

You can find a reproducer (thanks to Allan for his help with/comments on
it!) triggering the fault in kernel space attached to this e-mail but it
should be noted there are a few different places where these instructions
are used un-protected and the reproducer only uses one of them present in
the kvm code.  You can find a list of all such places in the attached
unprotected_xsave_faults attachment which was generated against a v4.0-rc1
defconfig + CONFIG_KVM vmlinux.o (the most concerning one probably being in
__switch_to()).  The reproducer is a patch to apply on top of lkvm
(https://github.com/penberg/linux-kvm) but it should be trivial to write as
a standalone C application.

It should be noted that this vulnerability is present even if the hardware
does not support xsaveS.

This is fixed by upstream commit 06c8173eb:

  https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=06c8173eb92bbfc03a0fe8bb64315857d0badd06

Other patches to prevent introduction of the same class of vulnerability
are currently being reviewed on lkml:

  https://lkml.org/lkml/2015/3/17/462

I haven't received any news from cve-assign when this issue was previously
discussed on security () kernel org.  Could a CVE be assigned to this please?

Thanks,
Quentin

Attachment: xsave-fault-reproducer.patch
Description:

Attachment: unprotected_xsave_faults
Description: