On Thu, 10 Jan 2019 11:20:04 -0600 Josh Poimboeuf <jpoim...@redhat.com> wrote:
> > While I can't find a reason for hypervisors to emulate this instruction, > > smarter people might find ways to turn it into a security exploit. > > Interesting point... but I wonder if it's a realistic concern. BTW, > text_poke_bp() also relies on undocumented behavior. But we did get an official OK from Intel that it will work. Took a bit of arm twisting to get them to do so, but they did. And it really is pretty robust. I would really like an acknowledgment from the HW vendors before we do go this route. -- Steve > > The entire instruction doesn't need to be read atomically; just the > 32-bit call destination. Assuming the hypervisor is x86-64, and it uses > a 32-bit access to read the call destination (which seems logical), the > intra-cacheline reads will be atomic, as stated in the SDM. > > If the above assumptions are not true, and the hypervisor reads the call > destination non-atomically (which seems unlikely IMO), even then I don't > see how it could be realistically exploitable. It would just oops from > calling a corrupt address. >
