Xen project Mailing List

Re: kfence_protect_page() writing L1TF vulnerable PTE

To: Juergen Gross <jgross@xxxxxxxx>, Alexander Potapenko <glider@xxxxxxxxxx>, Marco Elver <elver@xxxxxxxxxx>

From: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>

Date: Sun, 11 Dec 2022 16:34:20 -0500

Cc: kasan-dev <kasan-dev@xxxxxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Delivery-date: Sun, 11 Dec 2022 21:34:49 +0000

Feedback-id: iac594737:Fastmail

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Sun, Dec 11, 2022 at 01:15:06PM +0100, Juergen Gross wrote: > During tests with QubesOS a problem was found which seemed to be related > to kfence_protect_page() writing a L1TF vulnerable page table entry [1]. > > Looking into the function I'm seeing: > > set_pte(pte, __pte(pte_val(*pte) & ~_PAGE_PRESENT)); > > I don't think this can be correct, as keeping the PFN unmodified and > just removing the _PAGE_PRESENT bit is wrong regarding L1TF. > > There should be at least the highest PFN bit set in order to be L1TF > safe. > > > Juergen > > [1]: https://github.com/QubesOS/qubes-issues/issues/7935 Does that mean that Linux with kfence enabled is vulnerable to L1TF? Or are these pages ones that are not in any userspace page tables? If the former, then this is a security vulnerability in Linux and must be fixed. If the latter, then the two options I can think of are to revert whatever change caused kfence to produce L1TF-vulnerable PTEs, or to disable kfence when running paravirtualized under Xen. - -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmOWTNwACgkQsoi1X/+c IsHgTA/9HGyx+vlFqwhx7sRHVbF3ZpBdZUY7WEDI6cZzIRx8Kvh2QT3ZfYXW/32t 9EUELEKDKqXMsjWozdFcs6leohZBbYozV/luoQUrm1AsavffwrxH+d84FnZFg2qh VVh+Sd8NL15EZV9nXIqqS94uopqWKL79qmxVcSBVkfujtiI57uGFdshePGMP3I1D RGPRB5my7A/JQFhuITiZcqbhj0h4Cm5QSQaARAOEr4XQuso+4SFPZVGSw/+vD1nG XQ4YAvnFKy3+6oabroJ37cway7cimp6/qlEqS3YE1SaMa6q37mgsyGFobpQWbNy5 p4OkEuqlZ85p/C7g4XR+EvIJhfFovh0Wfj4fM0h78VvB8h2aHL2ckhi5vx0Snb8L p5NLh8MFI0PDoUaUWFb4Y3tN/Ksne9MbTQSy03mnXdnT+/6LQEHFVgUC90K0N52D R46brLZEfPsTVB+Ro3uynpbXaE7mw/IdzdAXgxRPcMQIiuRmUthWO4O9HC9DCoPz IHgqZg8+oBn2DCqUomg8Fz/9DQzWKb24dPKyzNuOmbtL63Tk63Qy1Smxu829LtCv 5mkfNPXwT2A3PbdngNrIT9QgI7ziXwUxYBDJ7onlb8Ad6dsimQ6QHOOWilg8mY7E jvNVYkqFD98wLeR4FuWdrA+20/0o1i2ab6afOFvyzN4lItC6mKU= =lz1X -----END PGP SIGNATURE-----

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.