[FYI PATCH 0/7] Mitigation for CVE-2018-12207

From: Paolo Bonzini
Date: Tue Nov 12 2019 - 16:21:43 EST

Next message: Paolo Bonzini: "[PATCH 2/7] x86/cpu: Add Tremont to the cpu vulnerability whitelist"
Previous message: Wolfram Sang: "Re: [PATCH 1/3] dt-bindings: mmc: Add 'fixed-emmc-driver-type-hs{200,400}'"
Next in thread: Paolo Bonzini: "[PATCH 2/7] x86/cpu: Add Tremont to the cpu vulnerability whitelist"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

CVE-2018-12207 is a microarchitectural implementation issue
that could allow an unprivileged local attacker to cause system wide
denial-of-service condition.

Privileged software may change the page size (ex. 4KB, 2MB, 1GB) in the
paging structures, without following such paging structure changes with
invalidation of the TLB entries corresponding to the changed pages. In
this case, the attacker could invoke instruction fetch, which will result
in the processor hitting multiple TLB entries, reporting a machine check
error exception, and ultimately hanging the system.

The attached patches mitigate the vulnerability by making huge pages
non-executable. The processor will not be able to execute an instruction
residing in a large page (ie. 2MB, 1GB, etc.) without causing a trap into
the host kernel/hypervisor; KVM will then break the large page into 4KB
pages and gives executable permission to 4KB pages.

Thanks to everyone that was involved in the development of these patches,
especially Junaid Shahid, who provided the first version of the code,
and Thomas Gleixner.

Paolo

Gomez Iglesias, Antonio (1):
Documentation: Add ITLB_MULTIHIT documentation

Junaid Shahid (2):
kvm: Add helper function for creating VM worker threads
kvm: x86: mmu: Recovery of shattered NX large pages

Paolo Bonzini (1):
kvm: mmu: ITLB_MULTIHIT mitigation

Pawan Gupta (1):
x86/cpu: Add Tremont to the cpu vulnerability whitelist

Tyler Hicks (1):
cpu/speculation: Uninline and export CPU mitigations helpers

Vineela Tummalapalli (1):
x86/bugs: Add ITLB_MULTIHIT bug infrastructure

Documentation/ABI/testing/sysfs-devices-system-cpu | 1 +
Documentation/admin-guide/hw-vuln/index.rst | 1 +
Documentation/admin-guide/hw-vuln/multihit.rst | 163 +++++++++++++
Documentation/admin-guide/kernel-parameters.txt | 25 ++
arch/x86/include/asm/cpufeatures.h | 1 +
arch/x86/include/asm/kvm_host.h | 6 +
arch/x86/include/asm/msr-index.h | 7 +
arch/x86/kernel/cpu/bugs.c | 24 ++
arch/x86/kernel/cpu/common.c | 67 ++---
arch/x86/kvm/mmu.c | 270 ++++++++++++++++++++-
arch/x86/kvm/mmu.h | 4 +
arch/x86/kvm/paging_tmpl.h | 29 ++-
arch/x86/kvm/x86.c | 20 ++
drivers/base/cpu.c | 8 +
include/linux/cpu.h | 27 +--
include/linux/kvm_host.h | 6 +
kernel/cpu.c | 27 ++-
virt/kvm/kvm_main.c | 112 +++++++++
18 files changed, 732 insertions(+), 66 deletions(-)
create mode 100644 Documentation/admin-guide/hw-vuln/multihit.rst

--
1.8.3.1

Next message: Paolo Bonzini: "[PATCH 2/7] x86/cpu: Add Tremont to the cpu vulnerability whitelist"
Previous message: Wolfram Sang: "Re: [PATCH 1/3] dt-bindings: mmc: Add 'fixed-emmc-driver-type-hs{200,400}'"
Next in thread: Paolo Bonzini: "[PATCH 2/7] x86/cpu: Add Tremont to the cpu vulnerability whitelist"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]