oss-sec mailing list archives
Re: CVE-2020-11669: Linux kernel 4.10 to 5.1: powerpc: guest can cause DoS on POWER9 KVM hosts
From: Michal Suchánek <msuchanek () suse de>
Date: Wed, 15 Apr 2020 16:03:29 +0200
On Wed, Apr 15, 2020 at 10:52:53PM +1000, Andrew Donnellan wrote:
The Linux kernel for powerpc from v4.10 to v5.1 has a bug where the Authority Mask Register (AMR), Authority Mask Override Register (AMOR) and User Authority Mask Override Register (UAMOR) are not correctly saved and restored when the CPU is going into/coming out of idle state. On POWER9 CPUs, this means that a CPU may return from idle with the AMR value of another thread on the same core. This allows a trivial Denial of Service attack against KVM hosts, by booting a guest kernel which makes use of the AMR, such as a v5.2 or later kernel with Kernel Userspace Access Prevention (KUAP) enabled. The guest kernel will set the AMR to prevent userspace access, then the thread will go idle. At a later point, the hardware thread that the guest was using may come out of idle and start executing in the host, without restoring the host AMR value. The host kernel can get caught in a page fault loop, as the AMR is unexpectedly causing memory accesses to fail in the host, and the host is eventually rendered unusable.
Hello, shouldn't the kernel restore the host registers when leaving the guest? I recall some code exists for handling the *AM*R when leaving guest. Can the KVM guest enter idle without exiting to host? Thanks Michal
Current thread:
- CVE-2020-11669: Linux kernel 4.10 to 5.1: powerpc: guest can cause DoS on POWER9 KVM hosts Andrew Donnellan (Apr 15)
- Re: CVE-2020-11669: Linux kernel 4.10 to 5.1: powerpc: guest can cause DoS on POWER9 KVM hosts Michal Suchánek (Apr 15)
- Re: CVE-2020-11669: Linux kernel 4.10 to 5.1: powerpc: guest can cause DoS on POWER9 KVM hosts Paul Mackerras (Apr 15)
- Re: CVE-2020-11669: Linux kernel 4.10 to 5.1: powerpc: guest can cause DoS on POWER9 KVM hosts Michal Suchánek (Apr 15)