[LTP] [PATCH 0/7] Two AMD SVM vulnerability tests

Martin Doucha mdoucha@suse.cz
Wed May 17 17:36:35 CEST 2023 

Here are two more kernel vulnerability tests for AMD SVM:

kvm_svm02 checks that the host kernel intercepts VMLOAD and VMSAVE
instructions in nested VMs and translates guest addresses to the correct
physical address. Without the translation, nested SVM guest can read and
write part of an arbitrary physical memory page chosen by the parent VM.

The test tries to detect the CVE bug harmlessly at first by using VMLOAD
to read a buffer full of zeroes. If it finds any non-zero bytes in the VMCB
fields accessed by VMLOAD/VMSAVE, it'll fail because they must have come
from host memory due to missing address translation.

Since the harmless approach can produce false negatives, it'll also try
a destructive approach and write into memory using VMSAVE. If the bug
is present, the byte pattern in the destination buffer will not change
and the test will reliably fail.

kvm_svm03 checks that the host kernel correctly handles global interrupt
flag in nested VMs. Otherwise a malicious VM could lock up all CPUs
assigned to it, causing a limited denial of service attack.

The test needs synchronization between the VM and another host thread so
the patchset includes the necessary helper functions.

Martin Doucha (7):
  KVM: Add VMSAVE/VMLOAD intercept constants
  Add test for CVE 2021-3656
  lib: Add safe functions for pthread_kill() and mutexes
  KVM: Add async communication helper functions
  KVM: Allow expected KVM_RUN errors in tst_kvm_run_instance()
  KVM: Add STGI/CLGI intercept constants
  Add KVM test for CPU lockup through malicous SVM guest

 doc/kvm-test-api.txt                       |   9 +-
 include/tst_safe_pthread.h                 |  52 +++++++
 lib/safe_pthread.c                         | 161 ++++++++++++++++++++
 runtest/kvm                                |   2 +
 testcases/kernel/kvm/.gitignore            |   2 +
 testcases/kernel/kvm/Makefile              |   3 +
 testcases/kernel/kvm/include/kvm_common.h  |   8 +
 testcases/kernel/kvm/include/kvm_guest.h   |  14 ++
 testcases/kernel/kvm/include/kvm_host.h    |  21 ++-
 testcases/kernel/kvm/include/kvm_x86_svm.h |   7 +
 testcases/kernel/kvm/kvm_svm02.c           | 159 ++++++++++++++++++++
 testcases/kernel/kvm/kvm_svm03.c           | 164 +++++++++++++++++++++
 testcases/kernel/kvm/lib_guest.c           |  16 ++
 testcases/kernel/kvm/lib_host.c            |  46 +++++-
 14 files changed, 656 insertions(+), 8 deletions(-)
 create mode 100644 testcases/kernel/kvm/kvm_svm02.c
 create mode 100644 testcases/kernel/kvm/kvm_svm03.c

-- 
2.40.0

More information about the ltp mailing list