53871 – nVMX: Can malicious L2 kill L1?

Bug 53871 - nVMX: Can malicious L2 kill L1?

Summary: nVMX: Can malicious L2 kill L1?

Status:	NEW

Alias:	None

Product:	Virtualization
Classification:	Unclassified
Component:	kvm (show other bugs)
Hardware:	All Linux

Importance:	P1 low
Assignee:	virtualization_kvm

URL:
Keywords:

Depends on:
Blocks:	94971 53601
	Show dependency tree

Reported:	2013-02-14 15:22 UTC by Nadav Har'El
Modified:	2015-03-17 03:53 UTC (History)
CC List:	0 users

See Also:
Kernel Version:
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nadav Har'El 2013-02-14 15:22:17 UTC

This is a thought-experiment bug - I haven't seen it happen in practice, so maybe it's not a bug, but it's worth investigating.

There are, I think, places cases where KVM decides that the guest is buggy or malicious so it aborts this guest. But because KVM is not aware that L1 and several L2 (nested guests) are all pretending to be one guest (one vcpu) - this might mean that a buggy or malicious L2 can kill an entire L1, not just this L2.

A potential example of this problem is this (I'm not sure it's actually correct - I just thought of this a long time ago and didn't recheck the details now): In the original nested VMX submission, After L2 changed cr3, kvm_mmu_load() was called to realize immediately that L2 did something bad and only it should be aborted. But after a review, this test was removed, so the code now waits till later, and when it later sees it can't kvm_mmu_load() I think it kills the entire vcpu - L1 and all its L2s.

Note You need to log in before you can comment on or make changes to this bug.