[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86/vmx: Revert "x86/VMX: sanitize rIP before re-entering guest"

  • To: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Wed, 23 Aug 2023 15:09:40 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=DMD2cGxup2f5jsgp180LJscr98gtNO5DFaRWD2K9ddo=; b=QKR9voS4gEWP8Na4R1VI79rLCyXw2lyUZf8sfL8SXKzyOGJ32/pr3UY3Quri6SYI26px7n/KgSntT0CMtvp2Vn6m3eKnQycnOAtBmexZXQV1Hj+uUM15XTyC5Hth8W2919ETi+YhXIGRw0yBAjYTrAYAP65yuPQS8oDZrMHQchIxo2aV+WNP7aW7oP2d0t8Y3g2wjN3D0SXbkapz7zBgfgbHWA4NsZqp5nOhkFMyLrV4ewux10zuptG2BX8DOa8JqaGKvMnlfz43lgKsKEQ3PwgkWETTo3vr6zSOZTje9L7FKbSoclJOj6flZ6oZ91jS8k/cjX9RzQwyoCJNE4rbWQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=d+752N9TjkHlD6LXeC0ZVgeFhCwY8SFv87HRCpKEfdxhbm8mX0nEssDOj1HYw4+TzYg46b8XutGJnnBHDs0ia5k7RQCo1nCH4pwE1w+ddwCRoWXRGZUC8+tMxEIycUEePmA4jJ0dgNrXovB2puS/eDeHrmd6agVOmJ4U9GImsJg1hTSZcBWrNHrg0dhLo8qG07voogffK67m+fZPn5oL/m5O60b+M+oJjPR7Blap0mSuRSh0q0ITFi7bErjNIIkS+zquoO11w+zp4loWcRVQzt28jugUaniRkq4s0FYQPnZ1ydoTCd36udYced66s0LzTcgyG4M+LwRJtaIWuqpw9w==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Jan Beulich <JBeulich@xxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>
  • Delivery-date: Wed, 23 Aug 2023 14:10:00 +0000
  • Ironport-data: A9a23:G7LrDq/Zcb7icQFfy+CdDrUDU3+TJUtcMsCJ2f8bNWPcYEJGY0x3n GBLD2qBOf6LN2qhL95xa9+09hsFuJ/XnINqTQA5pHs8E34SpcT7XtnIdU2Y0wF+jCHgZBk+s 5hBMImowOQcFCK0SsKFa+C5xZVE/fjUAOG6UKicYXoZqTZMEE8JkQhkl/MynrlmiN24BxLlk d7pqojUNUTNNwRcawr40Ird7ks21BjOkGlA5AdmNaoQ5Aa2e0Q9V/rzG4ngdxMUfaEMdgKKb 76r5K20+Grf4yAsBruN+losWhRXKlJ6FVHmZkt+A8BOsDAbzsAB+v9T2M4nQVVWk120c+VZk 72hg3ASpTABZcUgkMxFO/VR/roX0aduoNcrKlDn2SCfItGvn9IBDJyCAWlvVbD09NqbDklM2 KYmFgshTiqsrL2q+qz8UMtwheU8eZyD0IM34hmMzBn/JNN/GdXmfP+P4tVVmjAtmspJAPDSI dIDbiZiZwjBZBsJPUoLDJU5n6GjgXyXnz9w8QrJ4/ZopTWOilUpitABM/KMEjCObexTklyVu STt+GPhDwtBHNee1SCE4jSngeqncSbTAdtDSuPjrqIz6LGV7mc/LlpRdneHnfSGjGqHcPwHF 0FE4jV7+MDe82TuFLERRSaQsHOC+xIRRddUO+k78x2WjLrZ5R6DAWoJRSIHb8Yp3OcUbzE30 l6Cn/vyGCdi9raSTBq16bO8vT60fy8PIgcqZzICCw0M4NDhoYQ6phPJUttnVqWyi7XdGjzuw jbMsCk3gZ0Si9IG0+Ow+lWvvt63jp3ATwpw4xqNWGugt1t9fNT8P9bu7kXH5/FdKorfVkOGo HUPh8mZ6qYJEI2JkyuOBu4KGdlF+sq4DdEVunY3d7FJythn0yfLkVx4iN2mGHpUDw==
  • Ironport-hdrordr: A9a23:85dJQql86DwrF0zQ9GjAnfmHHALpDfIo3DAbv31ZSRFFG/Fwwf re+MjztCWVtN9/YhodcLy7UpVoIkm8yXcW2+Ys1OyZLWzbUQKTRelfBO3ZrgEIcBeRygcy78 tdmwcVMqyWMbDX5/yKgzVRsrwbsbu6zJw=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 23/08/2023 2:31 pm, Roger Pau Monné wrote:
> On Wed, Aug 23, 2023 at 12:56:48PM +0100, Andrew Cooper wrote:
>> On 23/08/2023 12:15 pm, Roger Pau Monné wrote:
>>> On Wed, Apr 05, 2023 at 10:52:45PM +0100, Andrew Cooper wrote:
>>>> At the time of XSA-170, the x86 instruction emulator was genuinely broken. 
>>>>  It
>>>> would load arbitrary values into %rip and putting a check here probably was
>>>> the best stopgap security fix.  It should have been reverted following c/s
>>>> 81d3a0b26c1 "x86emul: limit-check branch targets" which corrected the 
>>>> emulator
>>>> behaviour.
>>>>
>>>> However, everyone involved in XSA-170, myself included, failed to read the 
>>>> SDM
>>>> correctly.  On the subject of %rip consistency checks, the SDM stated:
>>>>
>>>>   If the processor supports N < 64 linear-address bits, bits 63:N must be
>>>>   identical
>>>>
>>>> A non-canonical %rip (and SSP more recently) is an explicitly legal state 
>>>> in
>>>> x86, and the VMEntry consistency checks are intentionally off-by-one from a
>>>> regular canonical check.
>>>>
>>>> The consequence of this bug is that Xen will currently take a legal x86 
>>>> state
>>>> which would successfully VMEnter, and corrupt it into having 
>>>> non-architectural
>>>> behaviour.
>>>>
>>>> Furthermore, in the time this bugfix has been pending in public, I
>>>> successfully persuaded Intel to clarify the SDM, adding the following
>>>> clarification:
>>>>
>>>>   The guest RIP value is not required to be canonical; the value of bit N-1
>>>>   may differ from that of bit N.
>>>>
>>>> Fixes: ffbbfda377 ("x86/VMX: sanitize rIP before re-entering guest")
>>> I think the fixes tag should likely be "x86emul: limit-check branch
>>> targets", since it's that commit that missed the revert done here?
>> Well, not really.  ffbbfda377 really does have a bug, irrespective of
>> the changes in the emulator.
>>
>> The presence of 81d3a0b26c1 is why this bugfix is a full revert of
>> ffbbfda377, and not just an off-by-1 adjustment.
> Right, but taking this patch without also having 81d3a0b26c1 will lead
> to a vulnerable system, hence why I think the dependency would better
> be on 81d3a0b26c1.
>
> Anyway, I don't think it's worth arguing over, so if you want to leave
> it as-is I won't object.

We don't really have a depends-on tag, or only-safe-with or whatever,
and a change like that is stretching the definition of Fixes IMO.

81d3a0b26c1 is more than 7 years old now, so there's not going to be a
practical problem backporting.  For everything else, I expect people to
read the commit message and apply common sense.

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.