lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 14 Oct 2017 10:52:45 +0200
From:   Auger Eric <eric.auger@...hat.com>
To:     Christoffer Dall <cdall@...aro.org>
Cc:     eric.auger.pro@...il.com, linux-kernel@...r.kernel.org,
        kvm@...r.kernel.org, marc.zyngier@....com,
        peter.maydell@...aro.org, andre.przywara@....com,
        wanghaibin.wang@...wei.com, wu.wubin@...wei.com
Subject: Re: [PATCH v2 03/10] KVM: arm/arm64: vgic-its: Improve error
 reporting on device table save

Hi Christoffer,

On 13/10/2017 19:56, Christoffer Dall wrote:
> On Fri, Oct 13, 2017 at 04:22:25PM +0200, Auger Eric wrote:
>> Hi,
>>
>> On 13/10/2017 15:16, Christoffer Dall wrote:
>>> On Wed, Sep 27, 2017 at 03:28:33PM +0200, Eric Auger wrote:
>>>> At the moment the device table save() returns -EINVAL if
>>>> vgic_its_check_id() fails to return the gpa of the entry
>>>> associated to the device/collection id. Let vgic_its_check_id()
>>>> return an int instead of a bool and return a more precised
>>>> error value:
>>>> - EINVAL in case the id is out of range
>>>> - EFAULT if the gpa is not provisionned or is not valid
>>>>
>>>
>>> This is just to ease debugging, yes?
>>
>> I understood user-space should be able to discriminate between bad guest
>> programming and values corrupted by the userspace (regs for instance).
>> In first case QEMU should not abort. In latter case it should abort.
> 
> So what is userspace supposed to do in the first case?

I was referring to https://www.spinics.net/lists/kvm/msg148791.html.
QEMU is supposed to write a message in that case but not cause an abort().

This is what is actually implemented on QEMU side. In case the ioctl
returns -EFAULT, we don't abort but simply warn. However at the moment
we return -EINVAL in some circumstances where - I think - we should
return -EFAULT. Hence this patch attempting to be more precise on the
cause of the failure instead of abruptly returning -EINVAL here.

Thanks

Eric
> 
>>
>> In vgic_its_check_id we are checking the L1 entry validity bit and in
>> case it is invalid we can't compute the GPA of the entry. I was thinking
>> we should return -EFAULT in that case. But maybe returning EFAULT in
>> case the BASER<n> address is not reachable also is wrong because that
>> may be caused by the userspace writing a wrong value. Sigh ...
>>
> 
> I think if either userspace or the guest programmed something that
> cannot be traversed, then you just don't save/restore the ITS properly,
> because it's broken anyway, so I don't think we need to replicate the
> *same broken state* at the destination.
> 
> Maybe I'm missing part of the picture here.

> 
> Thanks,
> -Christoffer
>

Powered by blists - more mailing lists