oss-sec mailing list archives
CVE-2018-1087: KVM incorrectly handles #DB exceptions while deferred by MOV SS/POP SS
From: Andy Lutomirski <luto () kernel org>
Date: Tue, 08 May 2018 17:38:28 +0000
On x86, MOV SS and POP SS behave strangely if they encounter a data breakpoint. If this occurs in a KVM guest, KVM incorrectly thinks that a #DB instruction was caused by the undocumented ICEBP instruction. This results in #DB being delivered to the guest kernel with an incorrect RIP on the stack. On most guest kernels, this will allow a guest user to DoS the guest kernel or even to escalate privilege to that of the guest kernel. Fixed upstream by commit 32d43cd391ba ("kvm/x86: fix icebp instruction handling"). If you are running a guest OS that runs untrusted userspace code and you are forced to run on an unpatched host, you may be able to mitigate this issue by inserting 15 consecutive NOP instructions in your SYSCALL64 and SYSCALL32 entry points as well as in your IDT vectors 3 and 4. I am hesitant to submit such a patch for upstream Linux, since the bug is clearly a KVM bug and is now fixed. Discovered by me. A PoC can be found here: https://lkml.kernel.org/r/67e08b69817171da8026e0eb3af0214b06b4d74f.1525800455.git.luto () kernel org/67e08b69817171da8026e0eb3af0214b06b4d74f.1525800455.git.luto () kernel org Thank you to Paolo Bonzini and Linus Torvalds for handling most of the technical bits of this bug.
Current thread:
- CVE-2018-1087: KVM incorrectly handles #DB exceptions while deferred by MOV SS/POP SS Andy Lutomirski (May 08)