This repository was archived by the owner on Jan 28, 2023. It is now read-only.
Fix some vulnerability issues of loading DRs and MSRs #347
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Without resetting DR7, spurious exceptions encountered in unexpected conditions may lead to privilege escalation. The exploitability depends a lot on the host system, and how it processes #DB exceptions. Typically if the #DB handler has certain conditions that make it execute SWAPGS, then the ISR will execute with a guest-controlled TLS (the IA32_KERNEL_GS_BASE MSR, which contains a guest-controlled pointer), and here a privilege escalation is possible. Signed-off-by: Wenchao Wang <[email protected]>
Check the bytes being used in functions insn_fetch_*() do not exceed the 15-byte stack buffer where they are stored. It is easy for the guest to trigger out-of-bounds accesses in the host by just racing the bytes pointed to by the faulting RIP. It is an information disclosure of the host kernel stack: the out-of-bounds data has a direct influence on the instruction emulation and it doesn't seem complicated to leak host kernel stack data by observing the side effects of the altered emulation. Typically, if the destination of a MOVQ is encoded in 8 bytes located outside of the 15-byte stack buffer, the MOVQ will be applied to a destination address that is encoded by host kernel stack data. By scanning its pages to see at which address data got written, the guest can trivially infer what were the values of the 8 bytes of host kernel stack. Signed-off-by: Wenchao Wang <[email protected]>
When using 32-bit enum values to initialize the array of uint64_t, type casting is required. Otherwise, the upper 32 bits of each array element will be wrongly filled with 1 due to sign extension. Signed-off-by: Wenchao Wang <[email protected]>
Use MSRs list to load guest MSRs on VM entries. The fact that these MSRs get loaded manually in the host means that the guest can trigger spurious interrupts in the host by enabling "system" PMC tracking and setting a low value in IA32_PMCx. It can cause two problems: * Guest DoS of the host by just setting a very low value in IA32_PMCx which will flood the host with interrupts. * Low-intensity information exfiltration if the emulator process has enabled PMCs (via host interfaces) and the loading of IA32_PMCx and IA32_PERFEVTSELx turns these "user-wide PMCs" to "system-wide PMCs" because the "OS" bit (bit 17) gets set. In that case the emulator can collect PMC events related to the kernel and not to itself, and information can be extracted this way (e.g., kernel cache-related events help defeat KASLR). This is a small form of "privilege escalation" since Kernel PMC events generally require higher privileges to be enabled. Signed-off-by: Wenchao Wang <[email protected]>
Use MSRs list to load host MSRs on VM exits. Corresponding to loading guest MSRs automatically, the similar approach is applied for host MSRs, and only some special-case MSRs are remained in manual load. Signed-off-by: Wenchao Wang <[email protected]>
Set some MSRs loaded on VM entries/exits to pass-through for improving the performance. Signed-off-by: Wenchao Wang <[email protected]>
|
ok to verify |
HaxmCI
added
CI:Build Pass
hyuan3
approved these changes
Jan 26, 2021
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix some vulnerability issues of loading DRs and MSRs during VM entries and exits.
Signed-off-by: Wenchao Wang [email protected]