Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp375195iob;
        Wed, 18 May 2022 04:15:08 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwKhnWE//1kuvs7LiJGG8xP801NNvqBlTAr12zhw2oOAygt6Ak0p2f4WLw9eIGAAuhHfaHj
X-Received: by 2002:a17:902:ef45:b0:156:1858:71fc with SMTP id e5-20020a170902ef4500b00156185871fcmr26665804plx.23.1652872508509;
        Wed, 18 May 2022 04:15:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1652872508; cv=none;
        d=google.com; s=arc-20160816;
        b=MB0saLjWOEzhI6JwriXLw6Zn3F0vlcubHa7+aBZglCBhQDBZFbKX0woAoj/Q12ONzG
         pGKBnMeXRNAEwKpPT7sNTILJymEYVDaZsTbnkuPpGv9ztXU0diFj13wQ2O8UssTeezoK
         e6cbOe9xr3ftTGKt9eflsYfNa9crJPHeOsLzAxCGQNlT69faNe1ZYvHIfYVGb42gZeh6
         EJRwPpj9Ckkwq7Ozn3M9P125UnqlYq34ySrHo0FiDnCrjdOAnF5KPlZaeIvPAF9iA/a9
         /h8E1cdN47kboAhHCpp14herBGcCAeut7JA0pNM16IU2CZCJccZsOMZTkNlA1P0hQlOg
         OcTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=Za+DQLmt+oUGTeJhfIppqwlsrJRYB67GyeAjlchsa3A=;
        b=QAp3JR940zFt1mwhxRGjl2BT2wNo3sqn4iDgCbrpetWtGYDUGd0GOwGDkNk7wFUbR8
         jDK6t82hNUUj1WZymBAnLyLIJiRz52GWnz/Lb1VpkEPP0aDqIcdRRSoi/PcQOBXbfki7
         vbTycth7FYvBGpz1/B5pQaKe6+3blIqm2UT1FjAfNybmNLQPS6kPRHWyLBIW0SRes64q
         GjTkoicghRj2W26GEl3T3RXD6OcWudh9PjnolvgNAeGcmZKtlN6QP0Is3LTzKnJuT6FM
         WyelakNYNBk/GuinoUfekUkyp1AleR+2l1oXHkIvOVtv07NIi386ss3kupnDvmRbSC+N
         nMSw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=XI9oqW2H;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id f17-20020a170902ce9100b00153b2d164e0si2502375plg.232.2022.05.18.04.15.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 18 May 2022 04:15:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=XI9oqW2H;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zx2c4.com
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id 6D6B916D48F;
	Wed, 18 May 2022 04:15:06 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S235335AbiERLPA (ORCPT <rfc822;recursive.nomad@gmail.com>
        + 99 others); Wed, 18 May 2022 07:15:00 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42686 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235314AbiERLOx (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 18 May 2022 07:14:53 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4162A16A258
        for <linux-kernel@vger.kernel.org>; Wed, 18 May 2022 04:14:52 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id EFB73B81E7C
        for <linux-kernel@vger.kernel.org>; Wed, 18 May 2022 11:14:50 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9F4A0C385A5;
        Wed, 18 May 2022 11:14:48 +0000 (UTC)
Authentication-Results: smtp.kernel.org;
        dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="XI9oqW2H"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105;
        t=1652872486;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=Za+DQLmt+oUGTeJhfIppqwlsrJRYB67GyeAjlchsa3A=;
        b=XI9oqW2HtGkL2CyZGV/jzmh5qaRm17/NDKqKx+B02j2hnREx2OejsVPPFnMcRoeY72sLk8
        QQF52j0Bg9lanZlVZAXw7+vRsuMpWHQJiRrE6TvVQC813l+XULCt2r9GfAbSUF/EdF88Tv
        9JmCOFVzq2Z3rRHyFXXKojNQYCGppMM=
Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 604e2236 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO);
        Wed, 18 May 2022 11:14:46 +0000 (UTC)
Date:   Wed, 18 May 2022 13:14:40 +0200
From:   "Jason A. Donenfeld" <Jason@zx2c4.com>
To:     Thomas Gleixner <tglx@linutronix.de>,
        Vadim Galitsin <vadim.galitsyn@oracle.com>
Cc:     LKML <linux-kernel@vger.kernel.org>, x86@kernel.org,
        Filipe Manana <fdmanana@suse.com>,
        Vadim Galitsin <vadim.galitsyn@oracle.com>
Subject: Re: [patch 0/3] x86/fpu: Prevent FPU state corruption
Message-ID: <YoTVIGiXUO2l8Czm@zx2c4.com>
References: <20220501192740.203963477@linutronix.de>
 <YnKeag3Ulg0NR58Q@zx2c4.com>
 <YoRFjTIzMYZu8Hq8@zx2c4.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <YoRFjTIzMYZu8Hq8@zx2c4.com>
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Vadim,

On Wed, May 18, 2022 at 03:02:05AM +0200, Jason A. Donenfeld wrote:
> Observation: the problem is definitely related to using the FPU in a
> hard IRQ.

I wrote a tiny reproducer that should be pretty reliable for testing
this, attached below. I think this proves my working theory. Run this in
a VirtualBox VM, and then move your mouse around or hit the keyboard, or
do something that triggers the add_{input,disk}_randomness() path from a
hardirq handler. On my laptop, for example, the trackpoint goes via
hardirq, but the touchpad does not. As soon as I move the trackpoint
around, the below program prints "XSAVE is borked!".

Also, note that this isn't just "corruption" of the guest VM, but also
leaking secret contents of the host VM into the guest. So you might
really want to make sure VirtualBox issues a fix for this before 5.18,
as it's arguably security sensitive.

Regards,
Jason


#include <unistd.h>
#include <stdio.h>
#include <signal.h>
#include <sys/wait.h>
#include <sys/prctl.h>

int main(int argc, char *argv[])
{
	int status = 0;

	for (int i = 0, nproc = sysconf(_SC_NPROCESSORS_ONLN); i < nproc; ++i) {
		if (!fork()) {
			prctl(PR_SET_PDEATHSIG, SIGKILL);
			asm("movq $42, %%rax\n"
			    "movq %%rax, %%xmm0\n"
			    "0:\n"
			    "movq %%xmm0, %%rbx\n"
			    "cmpq %%rax, %%rbx\n"
			    "je 0b\n"
			    : : : "rax", "rbx", "xmm0", "cc");
			_exit(77);
		}
	}
	wait(&status);
	if (WEXITSTATUS(status) == 77)
		printf("XSAVE is borked!\n");
	return 1;
}