2015-08-07 10:55:48

by Paolo Bonzini

[permalink] [raw]
Subject: [PATCH] KVM: x86: zero IDT limit on entry to SMM

The recent BlackHat 2015 presentation "The Memory Sinkhole"
mentions that the IDT limit is zeroed on entry to SMM.

This is not documented, and must have changed some time after 2010
(see http://www.ssi.gouv.fr/uploads/IMG/pdf/IT_Defense_2010_final.pdf).
KVM was not doing it, but the fix is easy.

Signed-off-by: Paolo Bonzini <[email protected]>
---
arch/x86/kvm/x86.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 5ef2560075bf..c5e88a881899 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6327,6 +6327,7 @@ static void process_smi_save_state_64(struct kvm_vcpu *vcpu, char *buf)
static void process_smi(struct kvm_vcpu *vcpu)
{
struct kvm_segment cs, ds;
+ struct desc_ptr dt;
char buf[512];
u32 cr0;

@@ -6359,6 +6360,10 @@ static void process_smi(struct kvm_vcpu *vcpu)

kvm_x86_ops->set_cr4(vcpu, 0);

+ /* Undocumented: IDT limit is set to zero on entry to SMM. */
+ dt.address = dt.size = 0;
+ kvm_x86_ops->set_idt(vcpu, &dt);
+
__kvm_set_dr(vcpu, 7, DR7_FIXED_1);

cs.selector = (vcpu->arch.smbase >> 4) & 0xffff;
--
1.8.3.1


2015-08-10 15:31:23

by Radim Krčmář

[permalink] [raw]
Subject: Re: [PATCH] KVM: x86: zero IDT limit on entry to SMM

2015-08-07 12:54+0200, Paolo Bonzini:
> The recent BlackHat 2015 presentation "The Memory Sinkhole"
> mentions that the IDT limit is zeroed on entry to SMM.

Slide 64 of
https://www.blackhat.com/docs/us-15/materials/us-15-Domas-The-Memory-Sinkhole-Unleashing-An-x86-Design-Flaw-Allowing-Universal-Privilege-Escalation.pdf

> This is not documented, and must have changed some time after 2010
> (see http://www.ssi.gouv.fr/uploads/IMG/pdf/IT_Defense_2010_final.pdf).
> KVM was not doing it, but the fix is easy.

This patch also clears the IDT base. Fetching original IDT is better
done from SMM saved state (and an anti-exploit based on comparing those
two seems unlikely) so it should be fine,

Reviewed-by: Radim Krčmář <[email protected]>

> Signed-off-by: Paolo Bonzini <[email protected]>
> ---

That takes care of Attack 1.
KVM is likely not vulnerable to attack 2 and 3 because of an emergent
security feature. (A simple modification of kvm-unit-tests show that
mapping APIC base on top of real code/data makes the APIC page hidden
and I expect SMM memslot to behave similarly.)