Re: [Linux-6.12.y] XEN: CVE-2024-53241 / XSA-466 and Clang-kCFI

From: Sedat Dilek
Date: Tue Dec 24 2024 - 16:58:00 EST

Next message: Ethan Carter Edwards: "[PATCH] dm: change kzalloc to kcalloc"
Previous message: Gary Guo: "Re: [PATCH v7 08/16] rust: add devres abstraction"
In reply to: Sedat Dilek: "Re: [Linux-6.12.y] XEN: CVE-2024-53241 / XSA-466 and Clang-kCFI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Dec 24, 2024 at 5:23 PM Sedat Dilek <sedat.dilek@xxxxxxxxx> wrote:
>
> On Sun, Dec 22, 2024 at 11:37 AM Sedat Dilek <sedat.dilek@xxxxxxxxx> wrote:
> >
> > On Sat, Dec 21, 2024 at 10:31 PM Andrew Cooper
> > <andrew.cooper3@xxxxxxxxxx> wrote:
> > >
> > > On 21/12/2024 6:25 pm, Sedat Dilek wrote:
> > > > With...
> > > >
> > > > dileks@iniza:~/src/xtf/git$ mv tests/xsa-454 ../
> > > > dileks@iniza:~/src/xtf/git$ mv tests/xsa-consoleio-write ../
> > >
> > > That's completely bizzare. There's nothing interestingly different
> > > with those two tests vs the others.
> > >
> > > I take it the crash is repeatable when using either of these?
> > >
> > > ~Andrew
> >
> > This time I stopped SDDM and thus KDE-6/Wayland session.
> >
> > Tested with Debian's officially 6.12.6-amd64 kernel in VT-3.
> >
> > test-hvm32pae-xsa-consoleio-write SUCCESS <--- 1st time I tried, never
> > said this is not OK
> >
> > test-hvm64-xsa-454 leads to FROZEN system and DATA LOSS (here: ext4).
> > Reproducibly as told many times.- in Debian and selfmade kernels version 6.12.6.
> >
> > Stolen from the picture I took with my smartphone:
> >
> > sudo ./xft-runner test-hvm64-xsa-454
> >
> > Executing 'xl create -p tests/xsa-454/test-hvm64-xsa-454.cfg'
> > Executing 'xl console test-hvm64-xsa-454'
> > Executing 'xl unpause test-hvm64-xsa-454'
> >
> > ^^ System does NOT react!
> >
> > I can send you the picture on request.
> >
> > -Sedat-
>
> [ CC 1091360@xxxxxxxxxxxxxxx ]
>
> I upgraded to Xen version 4.19.1 in Debian/unstable AMD64.
>
> # xl info | egrep 'release|version|commandline|caps'
> release : 6.12.6-amd64
> version : #1 SMP PREEMPT_DYNAMIC Debian 6.12.6-1 (2024-12-21)
> hw_caps :
> bfebfbff:17bae3bf:28100800:00000001:00000001:00000000:00000000:00000100
> virt_caps : pv hvm hap shadow gnttab-v1 gnttab-v2
> xen_version : 4.19.1
> xen_caps : xen-3.0-x86_64 hvm-3.0-x86_32 hvm-3.0-x86_32p
> hvm-3.0-x86_64
> xen_commandline : placeholder
>
> dileks@iniza:~/src/xtf/git$ sudo ./xtf-runner --host test-hvm64-xsa-454
> Executing 'xl create -p tests/xsa-454/test-hvm64-xsa-454.cfg'
> Executing 'xl console test-hvm64-xsa-454'
> Executing 'xl unpause test-hvm64-xsa-454'
> --- Xen Test Framework ---
> Environment: HVM 64bit (Long mode 4 levels)
> XSA-454 PoC
> Success: Not vulnerable to XSA-454
> Test result: SUCCESS
>
> Combined test results:
> test-hvm64-xsa-454 SUCCESS
>
> root@iniza:~# LC_ALL=C ll /var/log/xen/*xsa-454*.log
> -rw-r--r-- 1 root adm 232 Dec 24 17:11
> /var/log/xen/qemu-dm-test-hvm64-xsa-454.log
> -rw-r--r-- 1 root adm 232 Dec 24 17:11 /var/log/xen/xl-test-hvm64-xsa-454.log
>
> root@iniza:~# cat /var/log/xen/qemu-dm-test-hvm64-xsa-454.log
> VNC server running on 127.0.0.1:5900
> xen-qemu-system-i386: failed to create 'console' device '0': declining
> to handle console type 'xenconsoled'
> xen-qemu-system-i386: terminating on signal 1 from pid 6302
> (/usr/lib/xen-4.19/bin/xl)
>
> root@iniza:~# cat /var/log/xen/xl-test-hvm64-xsa-454.log
> Waiting for domain test-hvm64-xsa-454 (domid 144) to die [pid 6302]
> Domain 144 has shut down, reason code 0 0x0
> Action for shutdown reason code 0 is destroy
> Domain 144 needs to be cleaned up: destroying the domain
> Done. Exiting now
>
> Due to Debian-Bug #1091360 ("qemu-system-xen: Build against libxen-dev
> version 4.19.1-1") I am not able to do the full XFT tests.
>
> -Sedat-
>
> Link: https://bugs.debian.org/1091360

With NEW qemu-system-xen/unstable (1:9.2.0+ds-3) both 6.12.6 kernel -
Debian and selfmade run with SUCCESS.

Nothing scary in dmesg-log.

Happy XMAS,
-Sedat-
# cat /proc/version
Linux version 6.12.6-1-amd64-clang19-kcfi (sedat.dilek@xxxxxxxxx@iniza) (ClangBuiltLinux clang version 19.1.6 (https://github.com/llvm/llvm-project.git e21dc4bd5474d04b8e62d7331362edcc5648d7e5), ClangBuiltLinux LLD 19.1.6 (https://github.com/llvm/llvm-project.git e21dc4bd5474d04b8e62d7331362edcc5648d7e5)) #1~trixie+dileks SMP PREEMPT_DYNAMIC 2024-12-19

# LC_ALL=C dmesg -T | grep kCFI
[Tue Dec 24 22:34:51 2024] SMP alternatives: Using kCFI

# xl info | egrep 'release|version|commandline|caps'
release : 6.12.6-1-amd64-clang19-kcfi
version : #1~trixie+dileks SMP PREEMPT_DYNAMIC 2024-12-19
hw_caps : bfebfbff:17bae3bf:28100800:00000001:00000001:00000000:00000000:00000100
virt_caps : pv hvm hap shadow gnttab-v1 gnttab-v2
xen_version : 4.19.1
xen_caps : xen-3.0-x86_64 hvm-3.0-x86_32 hvm-3.0-x86_32p hvm-3.0-x86_64
xen_commandline : placeholder

# dpkg -l | egrep 'qemu-system-xen|libxenmisc' | awk '/^(ii|hi|rc|pi)/ {print $1 " " $2 " " $3}' | column -t
ii libxenmisc4.19:amd64 4.19.1-1
ii qemu-system-xen 1:9.2.0+ds-3

dileks@iniza:~/src/xtf/git$ sudo ./xtf-runner -a --host

...
Executing 'xl create -p tests/xsa-454/test-hvm64-xsa-454.cfg'
Executing 'xl console test-hvm64-xsa-454'
Executing 'xl unpause test-hvm64-xsa-454'
--- Xen Test Framework ---
Environment: HVM 64bit (Long mode 4 levels)
XSA-454 PoC
Success: Not vulnerable to XSA-454
Test result: SUCCESS

Executing 'xl create -p tests/xsa-consoleio-write/test-hvm32pae-xsa-consoleio-write.cfg'
Executing 'xl console test-hvm32pae-xsa-consoleio-write'
Executing 'xl unpause test-hvm32pae-xsa-consoleio-write'
--- Xen Test Framework ---
Environment: HVM 32bit (PAE 3 levels)
CONSOLEIO_write stack overflow PoC
Success: Not vulnerable to CONSOLEIO_write stack overflow
Test result: SUCCESS

Combined test results:
test-hvm32-cpuid-faulting SKIP
test-hvm32pae-cpuid-faulting SKIP
test-hvm32pse-cpuid-faulting SKIP
test-hvm64-cpuid-faulting SKIP
test-pv64-cpuid-faulting SKIP
test-hvm64-fpu-exception-emulation SKIP
test-hvm32-invlpg~hap SUCCESS
test-hvm32-invlpg~shadow SUCCESS
test-hvm32pae-invlpg~hap SUCCESS
test-hvm32pae-invlpg~shadow SUCCESS
test-hvm64-invlpg~hap SUCCESS
test-hvm64-invlpg~shadow SUCCESS
test-hvm64-lbr-tsx-vmentry SUCCESS
test-hvm32-livepatch-priv-check SUCCESS
test-hvm64-livepatch-priv-check SUCCESS
test-pv64-livepatch-priv-check SUCCESS
test-hvm32-lm-ts SUCCESS
test-hvm64-lm-ts SUCCESS
test-hvm32pae-memop-seg SUCCESS
test-hvm64-memop-seg SUCCESS
test-pv64-memop-seg SUCCESS
test-hvm32pae-nmi-taskswitch-priv SUCCESS
test-pv64-pv-fsgsbase SKIP
test-pv64-pv-iopl~hypercall SUCCESS
test-pv64-pv-iopl~vmassist SUCCESS
test-hvm32-swint-emulation SKIP
test-hvm32pae-swint-emulation SKIP
test-hvm32pse-swint-emulation SKIP
test-hvm64-swint-emulation SKIP
test-hvm32-umip SKIP
test-hvm64-umip SKIP
test-hvm32-xsa-122 SUCCESS
test-hvm32pae-xsa-122 SUCCESS
test-hvm32pse-xsa-122 SUCCESS
test-hvm64-xsa-122 SUCCESS
test-pv64-xsa-122 SUCCESS
test-hvm32-xsa-123 SKIP
test-pv64-xsa-167 SKIP
test-hvm64-xsa-168~shadow SUCCESS
test-hvm64-xsa-170 SKIP
test-hvm64-xsa-173~shadow SUCCESS
test-pv64-xsa-182 SUCCESS
test-hvm32-xsa-186 SKIP
test-hvm64-xsa-186 SKIP
test-hvm32-xsa-188 SUCCESS
test-hvm32pae-xsa-188 SUCCESS
test-hvm32pse-xsa-188 SUCCESS
test-hvm64-xsa-188 SUCCESS
test-pv64-xsa-188 SUCCESS
test-hvm32-xsa-191 SKIP
test-hvm32-xsa-192 SUCCESS
test-pv64-xsa-193 SUCCESS
test-hvm64-xsa-195 SUCCESS
test-hvm64-xsa-196 SKIP
test-hvm32-xsa-200 SKIP
test-hvm32-xsa-203 SKIP
test-hvm64-xsa-204 SKIP
test-pv64-xsa-212 SUCCESS
test-pv64-xsa-213 SUCCESS
test-hvm64-xsa-221 SUCCESS
test-pv64-xsa-221 SUCCESS
test-pv64-xsa-224 SUCCESS
test-pv64-xsa-227 SUCCESS
test-hvm64-xsa-231 SUCCESS
test-pv64-xsa-231 SUCCESS
test-hvm64-xsa-232 SUCCESS
test-pv64-xsa-232 SUCCESS
test-pv64-xsa-234 SUCCESS
test-hvm32-xsa-239 SUCCESS
test-pv64-xsa-255 SUCCESS
test-pv64-xsa-259 SUCCESS
test-pv64-xsa-260 SUCCESS
test-hvm64-xsa-261 SUCCESS
test-pv64-xsa-265 SUCCESS
test-hvm64-xsa-269 SUCCESS
test-hvm64-xsa-277 SUCCESS
test-hvm64-xsa-278 SUCCESS
test-pv64-xsa-279 SUCCESS
test-pv64-xsa-286 SUCCESS
test-pv64-xsa-296 SUCCESS
test-pv64-xsa-298 SUCCESS
test-hvm64-xsa-304 SUCCESS
test-hvm64-xsa-308 SUCCESS
test-pv64-xsa-316 SUCCESS
test-hvm32-xsa-317 SUCCESS
test-hvm32pae-xsa-317 SUCCESS
test-hvm32pse-xsa-317 SUCCESS
test-hvm64-xsa-317 SUCCESS
test-pv64-xsa-317 SUCCESS
test-pv64-xsa-333 SUCCESS
test-pv64-xsa-339 SUCCESS
test-pv64-xsa-444 SKIP
test-hvm64-xsa-451 SKIP
test-hvm64-xsa-454 SUCCESS
test-hvm32pae-xsa-consoleio-write SUCCESS

-dileks // 24-Dec-2024
VNC server running on 127.0.0.1:5900
xen-qemu-system-i386: failed to create 'console' device '0': declining to handle console type 'xenconsoled'
xen-qemu-system-i386: terminating on signal 1 from pid 4845 (/usr/lib/xen-4.19/bin/xl)
Waiting for domain test-hvm64-xsa-454 (domid 94) to die [pid 4845]
Domain 94 has shut down, reason code 0 0x0
Action for shutdown reason code 0 is destroy
Domain 94 needs to be cleaned up: destroying the domain
Done. Exiting now

Next message: Ethan Carter Edwards: "[PATCH] dm: change kzalloc to kcalloc"
Previous message: Gary Guo: "Re: [PATCH v7 08/16] rust: add devres abstraction"
In reply to: Sedat Dilek: "Re: [Linux-6.12.y] XEN: CVE-2024-53241 / XSA-466 and Clang-kCFI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]