Re: VMM vulns?
So, if I'm reading this all correctly it looks like _most_ of the issues have been addressed. Seems these are left: - The TLB handling of guest pages is broken, in that the INVEPT instructions in the host could be issued on the wrong CPUs. This means that if UVM decides to swap out a guest page, the guest could still access it via stale TLB entries. On AMD CPUs, there is no TLB handling at all (??). - vmx_load_pdptes is broken. And for the suggestions: - Fix TLB handling - Provide *real* ASLR: randomize the PTE space and the direct map. Does that seem correct? Sent: Thursday, September 10, 2020 at 9:41 AM From: "Demi M. Obenour" To: misc@openbsd.org Subject: Re: VMM vulns? On 2020-09-03 01:09, Mike Larkin wrote: > On Wed, Sep 02, 2020 at 09:36:14PM -0400, Bryan Steele wrote: >> On Wed, Sep 02, 2020 at 02:03:35AM -0700, Mike Larkin wrote: >>> On Wed, Sep 02, 2020 at 03:35:54AM +0200, f...@disciples.com wrote: >>>> https://twitter.com/m00nbsd/status/1291257985734410244 >>>> >>>> I don't want to bump that old thread or start any arguments about this. >>>> I'm just curious if this tweet is accurate or have these issues been >>>> addressed? Were any of Maxime's suggestions implemented? >>>> >>> >>> I am not sure if anyone picked up the remaining issues after I left active >>> vmm development. At that time, I sent out my WIP diff for the TLB flush >>> issue >>> Maxime reported; it was not 100% complete. I am not sure if anyone is >>> working >>> on that or not, or any other issues he reported. >>> >>> -ml >> >> As far as I'm aware all the pvclock(4) issues were addressed by pd@ and >> mortimer@. >> >> https://marc.info/?l=openbsd-cvs&m=158180761313544&w=2[https://marc.info/?l=openbsd-cvs&m=158180761313544&w=2] >> https://marc.info/?l=openbsd-cvs&m=158269876318391&w=2[https://marc.info/?l=openbsd-cvs&m=158269876318391&w=2] >> >> The "assorted bugs and vulns" like the RDMSR passthrough and the XSETBV >> CPL check issues were handled by pd@, me and kettenis@ and they have all >> been committed. >> >> https://marc.info/?l=openbsd-cvs&m=158196338821895&w=2[https://marc.info/?l=openbsd-cvs&m=158196338821895&w=2] >> >> The direct map issue on Intel CPUs hinted at by Maxime was also fixed >> by kettenis@, deraadt@ and millert@. >> >> https://marc.info/?l=openbsd-cvs&m=158269724517998&w=2[https://marc.info/?l=openbsd-cvs&m=158269724517998&w=2] >> >> -Bryan. >> > > The TLB flush issues are still outstanding. > > -ml Yikes! Is https://openbsd.amsterdam[https://openbsd.amsterdam] affected? -Demi
Re: VMM vulns?
Demi M. Obenour [demioben...@gmail.com] wrote: > > Yikes! Is https://openbsd.amsterdam affected? > Unless they have a special version of vmm with bugfixes that don't exist anywhere else, then yes, of course.
Re: VMM vulns?
On 2020-09-03 01:09, Mike Larkin wrote: > On Wed, Sep 02, 2020 at 09:36:14PM -0400, Bryan Steele wrote: >> On Wed, Sep 02, 2020 at 02:03:35AM -0700, Mike Larkin wrote: >>> On Wed, Sep 02, 2020 at 03:35:54AM +0200, f...@disciples.com wrote: https://twitter.com/m00nbsd/status/1291257985734410244 I don't want to bump that old thread or start any arguments about this. I'm just curious if this tweet is accurate or have these issues been addressed? Were any of Maxime's suggestions implemented? >>> >>> I am not sure if anyone picked up the remaining issues after I left active >>> vmm development. At that time, I sent out my WIP diff for the TLB flush >>> issue >>> Maxime reported; it was not 100% complete. I am not sure if anyone is >>> working >>> on that or not, or any other issues he reported. >>> >>> -ml >> >> As far as I'm aware all the pvclock(4) issues were addressed by pd@ and >> mortimer@. >> >> https://marc.info/?l=openbsd-cvs&m=158180761313544&w=2 >> https://marc.info/?l=openbsd-cvs&m=158269876318391&w=2 >> >> The "assorted bugs and vulns" like the RDMSR passthrough and the XSETBV >> CPL check issues were handled by pd@, me and kettenis@ and they have all >> been committed. >> >> https://marc.info/?l=openbsd-cvs&m=158196338821895&w=2 >> >> The direct map issue on Intel CPUs hinted at by Maxime was also fixed >> by kettenis@, deraadt@ and millert@. >> >> https://marc.info/?l=openbsd-cvs&m=158269724517998&w=2 >> >> -Bryan. >> > > The TLB flush issues are still outstanding. > > -ml Yikes! Is https://openbsd.amsterdam affected? -Demi signature.asc Description: OpenPGP digital signature
Re: VMM vulns?
On Wed, Sep 02, 2020 at 09:36:14PM -0400, Bryan Steele wrote: > On Wed, Sep 02, 2020 at 02:03:35AM -0700, Mike Larkin wrote: > > On Wed, Sep 02, 2020 at 03:35:54AM +0200, f...@disciples.com wrote: > > > https://twitter.com/m00nbsd/status/1291257985734410244 > > > > > > I don't want to bump that old thread or start any arguments about this. > > > I'm just curious if this tweet is accurate or have these issues been > > > addressed? Were any of Maxime's suggestions implemented? > > > > > > > I am not sure if anyone picked up the remaining issues after I left active > > vmm development. At that time, I sent out my WIP diff for the TLB flush > > issue > > Maxime reported; it was not 100% complete. I am not sure if anyone is > > working > > on that or not, or any other issues he reported. > > > > -ml > > As far as I'm aware all the pvclock(4) issues were addressed by pd@ and > mortimer@. > > https://marc.info/?l=openbsd-cvs&m=158180761313544&w=2 > https://marc.info/?l=openbsd-cvs&m=158269876318391&w=2 > > The "assorted bugs and vulns" like the RDMSR passthrough and the XSETBV > CPL check issues were handled by pd@, me and kettenis@ and they have all > been committed. > > https://marc.info/?l=openbsd-cvs&m=158196338821895&w=2 > > The direct map issue on Intel CPUs hinted at by Maxime was also fixed > by kettenis@, deraadt@ and millert@. > > https://marc.info/?l=openbsd-cvs&m=158269724517998&w=2 > > -Bryan. > The TLB flush issues are still outstanding. -ml
Re: VMM vulns?
On Wed, Sep 02, 2020 at 09:36:17PM -0400, Bryan Steele wrote: > The direct map issue on Intel CPUs hinted at by Maxime was also fixed > by kettenis@, deraadt@ and millert@. Sorry.. and mpi@ https://marc.info/?l=openbsd-cvs&m=158213132510408&w=2 > > -Bryan.
Re: VMM vulns?
On Wed, Sep 02, 2020 at 02:03:35AM -0700, Mike Larkin wrote: > On Wed, Sep 02, 2020 at 03:35:54AM +0200, f...@disciples.com wrote: > > https://twitter.com/m00nbsd/status/1291257985734410244 > > > > I don't want to bump that old thread or start any arguments about this. I'm > > just curious if this tweet is accurate or have these issues been addressed? > > Were any of Maxime's suggestions implemented? > > > > I am not sure if anyone picked up the remaining issues after I left active > vmm development. At that time, I sent out my WIP diff for the TLB flush issue > Maxime reported; it was not 100% complete. I am not sure if anyone is working > on that or not, or any other issues he reported. > > -ml As far as I'm aware all the pvclock(4) issues were addressed by pd@ and mortimer@. https://marc.info/?l=openbsd-cvs&m=158180761313544&w=2 https://marc.info/?l=openbsd-cvs&m=158269876318391&w=2 The "assorted bugs and vulns" like the RDMSR passthrough and the XSETBV CPL check issues were handled by pd@, me and kettenis@ and they have all been committed. https://marc.info/?l=openbsd-cvs&m=158196338821895&w=2 The direct map issue on Intel CPUs hinted at by Maxime was also fixed by kettenis@, deraadt@ and millert@. https://marc.info/?l=openbsd-cvs&m=158269724517998&w=2 -Bryan.
Re: VMM vulns?
On Wed, Sep 02, 2020 at 03:35:54AM +0200, f...@disciples.com wrote: > https://twitter.com/m00nbsd/status/1291257985734410244 > > I don't want to bump that old thread or start any arguments about this. I'm > just curious if this tweet is accurate or have these issues been addressed? > Were any of Maxime's suggestions implemented? > > > I am not sure if anyone picked up the remaining issues after I left active vmm development. At that time, I sent out my WIP diff for the TLB flush issue Maxime reported; it was not 100% complete. I am not sure if anyone is working on that or not, or any other issues he reported. -ml
VMM vulns?
https://twitter.com/m00nbsd/status/1291257985734410244 I don't want to bump that old thread or start any arguments about this. I'm just curious if this tweet is accurate or have these issues been addressed? Were any of Maxime's suggestions implemented?