Comment on

SirHaxalot@nord.pub ⁨3⁩ ⁨days⁩ ago

At least it sounds like a full escape is not trivial still

Turning this vulnerability into a full escape is difficult work, because the primitive is tricky. The page that gets reoccupied is the spt of a shadow page that was zapped, returned to buddy, and then refilled. After it is freed, KVM installs no more leaf SPTEs on this page, so the only remaining write is the single fixed constant (on x86-64, 0x8000000000000000) that clears the orphaned parent pointer, and the guest only decides which slot (offset) to write to. Because of this, one must carefully choose a guest-side cross-cache object where that fixed write aligns to a meaningful field, and depending on how the object is allocated it can be dependent on the guest VM’s RAM quota.

Because of this tricky primitive, each architecture must be exploited in a different way, and empirically, the AMD-specific exploit is a little easier.

source
Sort:hotnewtop