From: Jan Kiszka <jan.kiszka@siemens.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Cc: Ralf Ramsauer <ralf.ramsauer@oth-regensburg.de>
Subject: Re: [FYI PATCH 0/7] Mitigation for CVE-2018-12207
Date: Wed, 13 Nov 2019 07:38:14 +0100 [thread overview]
Message-ID: <23353382-53ea-8b20-7e30-763ef6df374c@siemens.com> (raw)
In-Reply-To: <1573593697-25061-1-git-send-email-pbonzini@redhat.com>
On 12.11.19 22:21, Paolo Bonzini wrote:
> CVE-2018-12207 is a microarchitectural implementation issue
> that could allow an unprivileged local attacker to cause system wide
> denial-of-service condition.
>
> Privileged software may change the page size (ex. 4KB, 2MB, 1GB) in the
> paging structures, without following such paging structure changes with
> invalidation of the TLB entries corresponding to the changed pages. In
> this case, the attacker could invoke instruction fetch, which will result
> in the processor hitting multiple TLB entries, reporting a machine check
> error exception, and ultimately hanging the system.
>
> The attached patches mitigate the vulnerability by making huge pages
> non-executable. The processor will not be able to execute an instruction
> residing in a large page (ie. 2MB, 1GB, etc.) without causing a trap into
> the host kernel/hypervisor; KVM will then break the large page into 4KB
> pages and gives executable permission to 4KB pages.
When reading MCE, error code 0150h, ie. SRAR, I was wondering if that
couldn't simply be handled by the host. But I suppose the symptom of
that erratum is not "just" regular recoverable MCE, rather
sometimes/always an unrecoverable CPU state, despite the error code, right?
Jan
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
next prev parent reply other threads:[~2019-11-13 6:38 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-12 21:21 [FYI PATCH 0/7] Mitigation for CVE-2018-12207 Paolo Bonzini
2019-11-12 21:21 ` [PATCH 1/7] x86/bugs: Add ITLB_MULTIHIT bug infrastructure Paolo Bonzini
2019-11-12 21:21 ` [PATCH 2/7] x86/cpu: Add Tremont to the cpu vulnerability whitelist Paolo Bonzini
2019-11-12 21:21 ` [PATCH 3/7] cpu/speculation: Uninline and export CPU mitigations helpers Paolo Bonzini
2019-11-12 21:21 ` [PATCH 4/7] kvm: mmu: ITLB_MULTIHIT mitigation Paolo Bonzini
2019-11-12 21:21 ` [PATCH 5/7] kvm: Add helper function for creating VM worker threads Paolo Bonzini
2019-11-12 21:21 ` [PATCH 6/7] kvm: x86: mmu: Recovery of shattered NX large pages Paolo Bonzini
2019-11-12 21:21 ` [PATCH 7/7] Documentation: Add ITLB_MULTIHIT documentation Paolo Bonzini
2019-11-13 6:38 ` Jan Kiszka [this message]
2019-11-13 8:23 ` [FYI PATCH 0/7] Mitigation for CVE-2018-12207 Paolo Bonzini
2019-11-13 21:24 ` Dave Hansen
2019-11-14 1:17 ` Nadav Amit
2019-11-14 5:26 ` Dave Hansen
2019-11-14 6:02 ` Nadav Amit
2019-11-15 2:11 ` Pawan Gupta
2019-11-14 8:09 ` Jan Kiszka
2019-11-18 13:58 ` Ralf Ramsauer
2020-01-21 18:08 ` Jan Kiszka
2020-01-21 18:25 ` Dave Hansen
2019-11-13 23:25 ` Pawan Gupta
2019-11-14 8:13 ` Jan Kiszka
2019-11-15 2:23 ` Pawan Gupta
2019-11-13 13:00 ` Jinpu Wang
2019-11-13 14:44 ` Paolo Bonzini
2019-11-13 18:10 ` Nadav Amit
2019-11-13 18:33 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=23353382-53ea-8b20-7e30-763ef6df374c@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=ralf.ramsauer@oth-regensburg.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).