On 15/05/2018 11:20, Li Qiang wrote: > > > By skipping any number of bytes, from 1 to 15, at the beginning of > the #BP exception handler. > > > Thanks, > > Image the guest user trigger a "pop ss, int 3", then it will go to > guest kernel and go to the int 1 handler(in IST stack), then vmexit > and be recognized as a #DB by kvm. And as the kvm just skip the > instruction(1 to 15 bytes), the rip in guest will be incorrect. So > AFAICS "skipping 1 to 15 bytes at the beginning of the #BP > exception handler" is the only thing guest user can do, right? Yes. > If so > I think if not possible, the privilege escalation is just in > theoretically. Yes, but every little bit helps. Skipping the CLAC at the beginning of the handler lets you bypass SMAP, which is nice. Paolo
