VMM vulns?

classic Classic list List threaded Threaded
8 messages Options
fro
Reply | Threaded
Open this post in threaded view
|

VMM vulns?

fro
https://twitter.com/m00nbsd/status/1291257985734410244

I don't want to bump that old thread or start any arguments about this. I'm just curious if this tweet is accurate or have these issues been addressed? Were any of Maxime's suggestions implemented?
 
 

Reply | Threaded
Open this post in threaded view
|

Re: VMM vulns?

Mike Larkin-2
On Wed, Sep 02, 2020 at 03:35:54AM +0200, [hidden email] wrote:
> https://twitter.com/m00nbsd/status/1291257985734410244
>
> I don't want to bump that old thread or start any arguments about this. I'm just curious if this tweet is accurate or have these issues been addressed? Were any of Maxime's suggestions implemented?
>  
>  
>

I am not sure if anyone picked up the remaining issues after I left active
vmm development. At that time, I sent out my WIP diff for the TLB flush issue
Maxime reported; it was not 100% complete. I am not sure if anyone is working
on that or not, or any other issues he reported.

-ml

Reply | Threaded
Open this post in threaded view
|

Re: VMM vulns?

Bryan Steele-2
On Wed, Sep 02, 2020 at 02:03:35AM -0700, Mike Larkin wrote:

> On Wed, Sep 02, 2020 at 03:35:54AM +0200, [hidden email] wrote:
> > https://twitter.com/m00nbsd/status/1291257985734410244
> >
> > I don't want to bump that old thread or start any arguments about this. I'm just curious if this tweet is accurate or have these issues been addressed? Were any of Maxime's suggestions implemented?
> >
>
> I am not sure if anyone picked up the remaining issues after I left active
> vmm development. At that time, I sent out my WIP diff for the TLB flush issue
> Maxime reported; it was not 100% complete. I am not sure if anyone is working
> on that or not, or any other issues he reported.
>
> -ml

As far as I'm aware all the pvclock(4) issues were addressed by pd@ and
mortimer@.

https://marc.info/?l=openbsd-cvs&m=158180761313544&w=2
https://marc.info/?l=openbsd-cvs&m=158269876318391&w=2

The "assorted bugs and vulns" like the RDMSR passthrough and the XSETBV
CPL check issues were handled by pd@, me and kettenis@ and they have all
been committed.

https://marc.info/?l=openbsd-cvs&m=158196338821895&w=2

The direct map issue on Intel CPUs hinted at by Maxime was also fixed
by kettenis@, deraadt@ and millert@.

https://marc.info/?l=openbsd-cvs&m=158269724517998&w=2

-Bryan.

Reply | Threaded
Open this post in threaded view
|

Re: VMM vulns?

Bryan Steele-2
On Wed, Sep 02, 2020 at 09:36:17PM -0400, Bryan Steele wrote:
> The direct map issue on Intel CPUs hinted at by Maxime was also fixed
> by kettenis@, deraadt@ and millert@.

Sorry.. and mpi@

https://marc.info/?l=openbsd-cvs&m=158213132510408&w=2

>
> -Bryan.

Reply | Threaded
Open this post in threaded view
|

Re: VMM vulns?

Mike Larkin-2
In reply to this post by Bryan Steele-2
On Wed, Sep 02, 2020 at 09:36:14PM -0400, Bryan Steele wrote:

> On Wed, Sep 02, 2020 at 02:03:35AM -0700, Mike Larkin wrote:
> > On Wed, Sep 02, 2020 at 03:35:54AM +0200, [hidden email] wrote:
> > > https://twitter.com/m00nbsd/status/1291257985734410244
> > >
> > > I don't want to bump that old thread or start any arguments about this. I'm just curious if this tweet is accurate or have these issues been addressed? Were any of Maxime's suggestions implemented?
> > >
> >
> > I am not sure if anyone picked up the remaining issues after I left active
> > vmm development. At that time, I sent out my WIP diff for the TLB flush issue
> > Maxime reported; it was not 100% complete. I am not sure if anyone is working
> > on that or not, or any other issues he reported.
> >
> > -ml
>
> As far as I'm aware all the pvclock(4) issues were addressed by pd@ and
> mortimer@.
>
> https://marc.info/?l=openbsd-cvs&m=158180761313544&w=2
> https://marc.info/?l=openbsd-cvs&m=158269876318391&w=2
>
> The "assorted bugs and vulns" like the RDMSR passthrough and the XSETBV
> CPL check issues were handled by pd@, me and kettenis@ and they have all
> been committed.
>
> https://marc.info/?l=openbsd-cvs&m=158196338821895&w=2
>
> The direct map issue on Intel CPUs hinted at by Maxime was also fixed
> by kettenis@, deraadt@ and millert@.
>
> https://marc.info/?l=openbsd-cvs&m=158269724517998&w=2
>
> -Bryan.
>

The TLB flush issues are still outstanding.

-ml

Reply | Threaded
Open this post in threaded view
|

Re: VMM vulns?

Demi M. Obenour
On 2020-09-03 01:09, Mike Larkin wrote:

> On Wed, Sep 02, 2020 at 09:36:14PM -0400, Bryan Steele wrote:
>> On Wed, Sep 02, 2020 at 02:03:35AM -0700, Mike Larkin wrote:
>>> On Wed, Sep 02, 2020 at 03:35:54AM +0200, [hidden email] wrote:
>>>> https://twitter.com/m00nbsd/status/1291257985734410244
>>>>
>>>> I don't want to bump that old thread or start any arguments about this. I'm just curious if this tweet is accurate or have these issues been addressed? Were any of Maxime's suggestions implemented?
>>>>
>>>
>>> I am not sure if anyone picked up the remaining issues after I left active
>>> vmm development. At that time, I sent out my WIP diff for the TLB flush issue
>>> Maxime reported; it was not 100% complete. I am not sure if anyone is working
>>> on that or not, or any other issues he reported.
>>>
>>> -ml
>>
>> As far as I'm aware all the pvclock(4) issues were addressed by pd@ and
>> mortimer@.
>>
>> https://marc.info/?l=openbsd-cvs&m=158180761313544&w=2
>> https://marc.info/?l=openbsd-cvs&m=158269876318391&w=2
>>
>> The "assorted bugs and vulns" like the RDMSR passthrough and the XSETBV
>> CPL check issues were handled by pd@, me and kettenis@ and they have all
>> been committed.
>>
>> https://marc.info/?l=openbsd-cvs&m=158196338821895&w=2
>>
>> The direct map issue on Intel CPUs hinted at by Maxime was also fixed
>> by kettenis@, deraadt@ and millert@.
>>
>> https://marc.info/?l=openbsd-cvs&m=158269724517998&w=2
>>
>> -Bryan.
>>
>
> The TLB flush issues are still outstanding.
>
> -ml
Yikes!  Is https://openbsd.amsterdam affected?

-Demi


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: VMM vulns?

Chris Cappuccio
Demi M. Obenour [[hidden email]] wrote:
>
> Yikes!  Is https://openbsd.amsterdam affected?
>

Unless they have a special version of vmm with bugfixes that don't exist
anywhere else, then yes, of course.

fro
Reply | Threaded
Open this post in threaded view
|

Re: VMM vulns?

fro
In reply to this post by Demi M. Obenour
So, if I'm reading this all correctly it looks like _most_ of the issues have been addressed. Seems these are left:

  - The TLB handling of guest pages is broken, in that the INVEPT
    instructions in the host could be issued on the wrong CPUs. This means
    that if UVM decides to swap out a guest page, the guest could still
    access it via stale TLB entries. On AMD CPUs, there is no TLB handling
    at all (??).
 
  - vmx_load_pdptes is broken.

And for the suggestions:  

   - Fix TLB handling
   - Provide *real* ASLR: randomize the PTE space and the direct map.

Does that seem correct?
 

Sent: Thursday, September 10, 2020 at 9:41 AM
From: "Demi M. Obenour" <[hidden email]>
To: [hidden email]
Subject: Re: VMM vulns?
On 2020-09-03 01:09, Mike Larkin wrote:

> On Wed, Sep 02, 2020 at 09:36:14PM -0400, Bryan Steele wrote:
>> On Wed, Sep 02, 2020 at 02:03:35AM -0700, Mike Larkin wrote:
>>> On Wed, Sep 02, 2020 at 03:35:54AM +0200, [hidden email] wrote:
>>>> https://twitter.com/m00nbsd/status/1291257985734410244
>>>>
>>>> I don't want to bump that old thread or start any arguments about this. I'm just curious if this tweet is accurate or have these issues been addressed? Were any of Maxime's suggestions implemented?
>>>>
>>>
>>> I am not sure if anyone picked up the remaining issues after I left active
>>> vmm development. At that time, I sent out my WIP diff for the TLB flush issue
>>> Maxime reported; it was not 100% complete. I am not sure if anyone is working
>>> on that or not, or any other issues he reported.
>>>
>>> -ml
>>
>> As far as I'm aware all the pvclock(4) issues were addressed by pd@ and
>> mortimer@.
>>
>> https://marc.info/?l=openbsd-cvs&m=158180761313544&w=2[https://marc.info/?l=openbsd-cvs&m=158180761313544&w=2]
>> https://marc.info/?l=openbsd-cvs&m=158269876318391&w=2[https://marc.info/?l=openbsd-cvs&m=158269876318391&w=2]
>>
>> The "assorted bugs and vulns" like the RDMSR passthrough and the XSETBV
>> CPL check issues were handled by pd@, me and kettenis@ and they have all
>> been committed.
>>
>> https://marc.info/?l=openbsd-cvs&m=158196338821895&w=2[https://marc.info/?l=openbsd-cvs&m=158196338821895&w=2]
>>
>> The direct map issue on Intel CPUs hinted at by Maxime was also fixed
>> by kettenis@, deraadt@ and millert@.
>>
>> https://marc.info/?l=openbsd-cvs&m=158269724517998&w=2[https://marc.info/?l=openbsd-cvs&m=158269724517998&w=2]
>>
>> -Bryan.
>>
>
> The TLB flush issues are still outstanding.
>
> -ml

Yikes! Is https://openbsd.amsterdam[https://openbsd.amsterdam] affected?

-Demi