Bug 1679327 - xen: xsa293: PV kernel context switch corruption
Summary: xen: xsa293: PV kernel context switch corruption
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1685577
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-20 21:56 UTC by Pedro Sampaio
Modified: 2019-09-29 15:08 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:48:29 UTC
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2019-02-20 21:56:06 UTC
On hardware supporting the fsgsbase feature, 64bit PV guests can set and
clear the applicable control bit in its virtualised %cr4, but the
feature remains fully active in hardware. Therefore, the associated
instructions are actually usable.

Linux, which does not currently support this feature, has various
optimisations in its context switch path which justifiably assume that
userspace can't actually make changes without a system call.

Xen's behaviour of having this feature active behind the guest kernel's
back undermines the correctness of any context switch logic which
depends on the feature being disabled.

Userspace can therefore corrupt fsbase or gsbase (commonly used for
Thread Local Storage) in the next thread to be scheduled on the
current vcpu.

Comment 1 Andrej Nemec 2019-03-05 14:21:27 UTC
References:

https://seclists.org/oss-sec/2019/q1/164

Comment 2 Andrej Nemec 2019-03-05 14:26:32 UTC
Created xen tracking bugs for this issue:

Affects: fedora-all [bug 1685577]


Note You need to log in before you can comment on or make changes to this bug.