ltp.lists.linux.it archive mirror
 help / color / mirror / Atom feed
From: Martin Doucha <mdoucha@suse.cz>
To: Nicolai Stange <nstange@suse.de>, ltp@lists.linux.it
Subject: [LTP] [PATCH 0/7] Two AMD SVM vulnerability tests
Date: Wed, 17 May 2023 17:36:35 +0200	[thread overview]
Message-ID: <20230517153642.26919-1-mdoucha@suse.cz> (raw)

Here are two more kernel vulnerability tests for AMD SVM:

kvm_svm02 checks that the host kernel intercepts VMLOAD and VMSAVE
instructions in nested VMs and translates guest addresses to the correct
physical address. Without the translation, nested SVM guest can read and
write part of an arbitrary physical memory page chosen by the parent VM.

The test tries to detect the CVE bug harmlessly at first by using VMLOAD
to read a buffer full of zeroes. If it finds any non-zero bytes in the VMCB
fields accessed by VMLOAD/VMSAVE, it'll fail because they must have come
from host memory due to missing address translation.

Since the harmless approach can produce false negatives, it'll also try
a destructive approach and write into memory using VMSAVE. If the bug
is present, the byte pattern in the destination buffer will not change
and the test will reliably fail.

kvm_svm03 checks that the host kernel correctly handles global interrupt
flag in nested VMs. Otherwise a malicious VM could lock up all CPUs
assigned to it, causing a limited denial of service attack.

The test needs synchronization between the VM and another host thread so
the patchset includes the necessary helper functions.

Martin Doucha (7):
  KVM: Add VMSAVE/VMLOAD intercept constants
  Add test for CVE 2021-3656
  lib: Add safe functions for pthread_kill() and mutexes
  KVM: Add async communication helper functions
  KVM: Allow expected KVM_RUN errors in tst_kvm_run_instance()
  KVM: Add STGI/CLGI intercept constants
  Add KVM test for CPU lockup through malicous SVM guest

 doc/kvm-test-api.txt                       |   9 +-
 include/tst_safe_pthread.h                 |  52 +++++++
 lib/safe_pthread.c                         | 161 ++++++++++++++++++++
 runtest/kvm                                |   2 +
 testcases/kernel/kvm/.gitignore            |   2 +
 testcases/kernel/kvm/Makefile              |   3 +
 testcases/kernel/kvm/include/kvm_common.h  |   8 +
 testcases/kernel/kvm/include/kvm_guest.h   |  14 ++
 testcases/kernel/kvm/include/kvm_host.h    |  21 ++-
 testcases/kernel/kvm/include/kvm_x86_svm.h |   7 +
 testcases/kernel/kvm/kvm_svm02.c           | 159 ++++++++++++++++++++
 testcases/kernel/kvm/kvm_svm03.c           | 164 +++++++++++++++++++++
 testcases/kernel/kvm/lib_guest.c           |  16 ++
 testcases/kernel/kvm/lib_host.c            |  46 +++++-
 14 files changed, 656 insertions(+), 8 deletions(-)
 create mode 100644 testcases/kernel/kvm/kvm_svm02.c
 create mode 100644 testcases/kernel/kvm/kvm_svm03.c

-- 
2.40.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

             reply	other threads:[~2023-05-17 15:37 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-17 15:36 Martin Doucha [this message]
2023-05-17 15:36 ` [LTP] [PATCH 1/7] KVM: Add VMSAVE/VMLOAD intercept constants Martin Doucha
2023-05-17 22:08   ` Petr Vorel
2023-05-18  8:27     ` Martin Doucha
2023-05-18  9:49       ` Petr Vorel
2023-05-17 15:36 ` [LTP] [PATCH 2/7] Add test for CVE 2021-3656 Martin Doucha
2023-05-17 22:32   ` Petr Vorel
2023-05-18  8:29     ` Martin Doucha
2023-05-18  9:56       ` Petr Vorel
2023-05-17 15:36 ` [LTP] [PATCH 3/7] lib: Add safe functions for pthread_kill() and mutexes Martin Doucha
2023-05-17 23:07   ` Petr Vorel
2023-05-23 12:02   ` Cyril Hrubis
2023-05-17 15:36 ` [LTP] [PATCH 4/7] KVM: Add async communication helper functions Martin Doucha
2023-05-17 22:47   ` Petr Vorel
2023-05-18  8:36     ` Martin Doucha
2023-05-18  9:55       ` Petr Vorel
2023-05-23 12:13   ` Cyril Hrubis
2023-05-23 12:18     ` Martin Doucha
2023-05-17 15:36 ` [LTP] [PATCH 5/7] KVM: Allow expected KVM_RUN errors in tst_kvm_run_instance() Martin Doucha
2023-05-18 10:03   ` Petr Vorel
2023-05-23 12:22   ` Cyril Hrubis
2023-05-17 15:36 ` [LTP] [PATCH 6/7] KVM: Add STGI/CLGI intercept constants Martin Doucha
2023-05-17 23:20   ` Petr Vorel
2023-05-18  8:38     ` Martin Doucha
2023-05-18  9:53       ` Petr Vorel
2023-05-17 15:36 ` [LTP] [PATCH 7/7] Add KVM test for CPU lockup through malicous SVM guest Martin Doucha
2023-05-18 10:08   ` Petr Vorel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230517153642.26919-1-mdoucha@suse.cz \
    --to=mdoucha@suse.cz \
    --cc=ltp@lists.linux.it \
    --cc=nstange@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).