Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754236Ab3CKTBh (ORCPT ); Mon, 11 Mar 2013 15:01:37 -0400 Received: from goliath.siemens.de ([192.35.17.28]:20071 "EHLO goliath.siemens.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754218Ab3CKTBg (ORCPT ); Mon, 11 Mar 2013 15:01:36 -0400 Message-ID: <513E2A0A.3080008@siemens.com> Date: Mon, 11 Mar 2013 20:01:30 +0100 From: Jan Kiszka User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 MIME-Version: 1.0 To: Gleb Natapov CC: Paolo Bonzini , "linux-kernel@vger.kernel.org" , "kvm@vger.kernel.org" , "mtosatti@redhat.com" Subject: Re: [PATCH] x86: kvm: reset the bootstrap processor when it gets an INIT References: <513DE8C5.3090209@redhat.com> <513DFA01.1040500@siemens.com> <20130311172342.GS31619@redhat.com> <513E158B.80506@siemens.com> <20130311174155.GU31619@redhat.com> <513E1CFC.6010201@siemens.com> <20130311181306.GW31619@redhat.com> <513E2220.2090501@siemens.com> <20130311183915.GA14689@redhat.com> <513E26A7.4020405@siemens.com> <20130311185132.GB14689@redhat.com> In-Reply-To: <20130311185132.GB14689@redhat.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1235 Lines: 33 On 2013-03-11 19:51, Gleb Natapov wrote: >>> On Intel: >>> CPU 1 CPU 2 in a guest mode >>> send INIT >>> send SIPI >>> INIT vmexit >>> vmxoff >>> reset and start from SIPI vector >> >> Is SIPI sticky as well, even if the CPU is not in the wait-for-SIPI >> state (but runnable and in vmxon) while receiving it? >> > That what they seams to be saying: > However, an INIT and SIPI interrupts sent to a CPU during time when > it is in a VMX mode are remembered and delivered, perhaps hours later, > when the CPU exits the VMX mode > > Otherwise their exploit will not work. Very weird, specifically as SIPI is not just a binary event but carries payload. Will another SIPI event overwrite the previously "saved" vector? We are deep into an underspecified area... Jan -- Siemens AG, Corporate Technology, CT RTC ITP SDP-DE Corporate Competence Center Embedded Linux -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/