| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 16 Jun 2016 19:16:55 +0800
From: Haozhong Zhang <haozhong.zhang@...el.com>
To: Paolo Bonzini <pbonzini@...hat.com>
Cc: kvm@...r.kernel.org, rkrcmar@...hat.com,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
"H . Peter Anvin" <hpa@...or.com>, x86@...nel.org,
linux-kernel@...r.kernel.org, Gleb Natapov <gleb@...nel.org>,
Boris Petkov <bp@...e.de>, Tony Luck <tony.luck@...el.com>,
Andi Kleen <andi.kleen@...el.com>,
Ashok Raj <ashok.raj@...el.com>
Subject: Re: [PATCH v2 2/3] KVM: VMX: validate individual bits of guest
MSR_IA32_FEATURE_CONTROL
On 06/16/16 12:01, Paolo Bonzini wrote:
>
>
> On 16/06/2016 08:05, Haozhong Zhang wrote:
> > +/*
> > + * FEATURE_CONTROL_LOCKED is added/removed automatically by
> > + * feature_control_valid_bits_add/del(), so it's not included here.
> > + */
> > +#define FEATURE_CONTROL_MAX_VALID_BITS \
> > + FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX
> > +
> > +static void feature_control_valid_bits_add(struct kvm_vcpu *vcpu, uint64_t bits)
> > +{
> > + ASSERT(!(bits & ~FEATURE_CONTROL_MAX_VALID_BITS));
>
> The KVM-specific ASSERT macro should go. You can use WARN_ON.
>
will change to WARN_ON.
> However, I think FEATURE_CONTROL_LOCKED should always be writable. If
> you change that, it's simpler to just do |= and &= in the caller.
>
These two functions (add/del) are to prevent callers from forgetting
setting/clearing FEATURE_CONTROL_LOCKED in
msr_ia32_feature_control_valid_bits: it should be set if any feature
bit is set, and be cleared if all feature bits are cleared. The second
rule could relaxed as we can always present MSR_IA32_FEATURE_CONTROL
to guest.
I'm okey to let callers take care for the locked bit.
> > + to_vmx(vcpu)->msr_ia32_feature_control_valid_bits |=
> > + bits | FEATURE_CONTROL_LOCKED;
> > +}
> > +
> > +static void feature_control_valid_bits_del(struct kvm_vcpu *vcpu, uint64_t bits)
> > +{
> > + uint64_t *valid_bits =
> > + &to_vmx(vcpu)->msr_ia32_feature_control_valid_bits;
> > + ASSERT(!(bits & ~FEATURE_CONTROL_MAX_VALID_BITS));
> > + *valid_bits &= ~bits;
> > + if (!(*valid_bits & ~FEATURE_CONTROL_LOCKED))
> > + *valid_bits = 0;
> > +}
> > +
> > #define VMCS12_OFFSET(x) offsetof(struct vmcs12, x)
> > #define FIELD(number, name) [number] = VMCS12_OFFSET(name)
> > #define FIELD64(number, name) [number] = VMCS12_OFFSET(name), \
> > @@ -2864,6 +2897,14 @@ static int vmx_get_vmx_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
> > return 0;
> > }
> >
> > +static inline bool vmx_feature_control_msr_valid(struct kvm_vcpu *vcpu,
> > + uint64_t val)
> > +{
> > + uint64_t valid_bits = to_vmx(vcpu)->msr_ia32_feature_control_valid_bits;
> > +
> > + return valid_bits && !(val & ~valid_bits);
> > +}
> > /*
> > * Reads an msr value (of 'msr_index') into 'pdata'.
> > * Returns 0 on success, non-0 otherwise.
> > @@ -2906,7 +2947,7 @@ static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> > msr_info->data = vmcs_read64(GUEST_BNDCFGS);
> > break;
> > case MSR_IA32_FEATURE_CONTROL:
> > - if (!nested_vmx_allowed(vcpu))
> > + if (!vmx_feature_control_msr_valid(vcpu, 0))
>
> You can remove this if completely in patch 1. It's okay to make the MSR
> always available.
>
But then it also allows all bits to be set by guests, even though some
features are not available. Though this problem already exists before
Patch 1, I prefer to leave it as was in Patch 1 and fix it here.
Haozhong
Powered by blists - more mailing lists