i386/tcg: Protect SMM against malicious kernel via IPI & DR

[PATCH 0/2] i386/tcg: Protect SMM against malicious kernel via IPI & DR

YiFei Zhu posted 2 patches 3 days, 3 hours ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/qemu tags/patchew/cover.1758794468.git.zhuyifei@google.com

Maintainers: Paolo Bonzini <pbonzini@redhat.com>, Zhao Liu <zhao1.liu@intel.com>, Richard Henderson <richard.henderson@linaro.org>, Eduardo Habkost <eduardo@habkost.net>

target/i386/cpu.c                   |  3 ++-
target/i386/tcg/system/smm_helper.c | 10 +++++-----
2 files changed, 7 insertions(+), 6 deletions(-)

Expand all Fold all

[PATCH 0/2] i386/tcg: Protect SMM against malicious kernel via IPI & DR

Posted by YiFei Zhu 3 days, 3 hours ago

These two patches are fixing two separate TCG-only SMM vulnerabilities.
Neither of them are reproducible with KVM, and hence are limited to
"Non-virtualization Use Case" [1].

The first patch's bug is found by myself, while developing SMM challenges
for CrewCTF. The second patch's bug is found by unvariant, a participant
of the said CTF.

[1] https://www.qemu.org/docs/master/system/security.html#non-virtualization-use-case

YiFei Zhu (2):
  i386/cpu: Prevent delivering SIPI during SMM in TCG mode
  i386/tcg/smm_helper: Properly apply DR values on SMM entry / exit

 target/i386/cpu.c                   |  3 ++-
 target/i386/tcg/system/smm_helper.c | 10 +++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

-- 
2.51.0.536.g15c5d4f767-goog