Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
KVM: SVM: out-of-bounds read/write in sev_es_string_io
fwilhelm - Project Zero (P0) Posted 4 Years Ago- The KVM (Kernel Virtual Machine) is a kernel based virtual machine. In the land of Linux, this is the built in virtualization platform. This vulnerability focuses on the SEV-ES (Secure Encrypted Virtualization - Encrypted State) functionality of KVM.
- When a SEV-ES enabled guest triggers a VMGEXIT for a string I/O instruction, the function
sev_es_string_iois called to copy the string between an unencrypted guest memory region and the virtualized target dev. When doing this copy, thesizeof the write andcountvariable (amount of bytes) are controlled by the attacker. - With this data is used, a
memcpyis performed. However, the location being written to is limited in size to0x1000bytes! So, if we specify something outside of this range, for a write, then we have an out of bounds write primitive. In practice,size * count > 0x1000is all we need to do. - A similar bug exists on the read side. Interestingly enough, the read functionality ALWAYS resulted in an out of bounds read if the value was greater than 1. That is sort of weird that this got through the code review process, as it was buggy from the start.
- When running the kernel with KASAN (kernel ASAN) a crash occurs on both of these attempts; both for the out of bounds read and the out of bounds write. Why wasn't this discovered before?
VMGExitis a shutdown function, which is not what is usually fuzzed. The more you fuzz the more things you will find!
