[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Nullptr dereference in nested VMX when shadow VMCS support is available


  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Manuel Andreas <manuel.andreas@xxxxxx>
  • Date: Mon, 2 Jun 2025 20:11:14 +0200
  • Authentication-results: postout.lrz.de (amavis); dkim=pass (2048-bit key) reason="pass (just generated, assumed good)" header.d=tum.de
  • Autocrypt: addr=manuel.andreas@xxxxxx; keydata= xjMEY9Zx/RYJKwYBBAHaRw8BAQdALWzRzW9a74DX4l6i8VzXGvv72Vz0qfvj9s7bjBD905nN Jk1hbnVlbCBBbmRyZWFzIDxtYW51ZWwuYW5kcmVhc0B0dW0uZGU+wokEExYIADEWIQQuSfNX 11QV6exAUmOqZGwY4LuingUCY9Zx/QIbAwQLCQgHBRUICQoLBRYCAwEAAAoJEKpkbBjgu6Ke McQBAPyP530S365I50I5rM2XjH5Hr9YcUQATD5dusZJMDgejAP9T/wUurwQSuRfm1rK8cNcf w4wP3+PLvL+J+kuVku93CM44BGPWcf0SCisGAQQBl1UBBQEBB0AmCAf31tLBD5tvtdZ0XX1B yGLUAxhgmFskGyPhY8wOKQMBCAfCeAQYFggAIBYhBC5J81fXVBXp7EBSY6pkbBjgu6KeBQJj 1nH9AhsMAAoJEKpkbBjgu6Kej6YA/RvJdXMjsD5csifolLw53KX0/ElM22SvaGym1+KiiVND AQDy+y+bCXI+J713/AwLBsDxTEXmP7Cp49ZqbAu83NnpBQ==
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Mon, 02 Jun 2025 18:11:30 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 6/2/25 17:42, Jan Beulich wrote:

This is possible when:

   1. The malicious domain has nested HVM capabilities.
   2. The CPU is running on top of VMX and supports shadow VMCS.

To trigger the bug, the domain must first enable VMX operation for
itself, execute VMXON and then finally execute VMPTRLD on a guest
physical address that is backed by a non-writable p2m mapping.
In `nvmx_handle_vmptrld`, after attempting to map the nested VMCS, Xen
will check whether or not this mapping is suitable for writing and if
not immediately unmap the nested VMCS again and abort the setup of
`nvcpu->nv_vvmcx`. However, Xen at this point erroneously continues
emulation of the VMPTRLD. In particular, if VMCS shadowing is available,
Xen will nonetheless attempt to link up the nested VMCS to its own VMCS
in `nvmx_set_vmcs_pointer`. Importantly, Xen here attempts to
dereference the presumably mapped nested VMCS (which now is merely a
NULL pointer) in order to mark it as a shadow VMCS by applying the
`VMCS_RID_TYPE_MASK` to its revision identifier. Following, the page
fault handler will panic Xen.

I've attached an XTF reproducer that triggers the bug. To setup such a
non-writable p2m mapping for the malicious VMCS, I first setup an
appropriate grant table entry. I've tested it on Xen version 4.20.0.
I expect this to not work anymore on current staging or 4.20.1-pre.
See a8325f981ce4 ("x86/P2M: synchronize fast and slow paths of
p2m_get_page_from_gfn()").
On first glance I don't see how that would impact the type of the
established p2m mapping.
Thing is that with said change grant mappings will cause
hvm_map_guest_frame_rw() to simply fail, rather than returning a r/o
mapping for r/o grant entries.
I see, that makes sense. Thanks for the clarification!

Best,
Manuel



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.