lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 13 May 2018 01:28:29 -0700 (PDT)
From:   Liran Alon <liran.alon@...cle.com>
To:     <kernellwp@...il.com>
Cc:     <rkrcmar@...hat.com>, <pbonzini@...hat.com>,
        <linux-kernel@...r.kernel.org>, <junaids@...gle.com>,
        <kvm@...r.kernel.org>
Subject: Re: [PATCH 1/2] KVM: X86: Fix CR3 reserve bits


----- kernellwp@...il.com wrote:

> 2018-05-13 15:53 GMT+08:00 Liran Alon <liran.alon@...cle.com>:
> >
> > ----- kernellwp@...il.com wrote:
> >
> >> From: Wanpeng Li <wanpengli@...cent.com>
> >>
> >> MSB of CR3 is a reserved bit if the PCIDE bit is not set in CR4.
> >> It should be checked when PCIDE bit is not set, however commit
> >> 'd1cd3ce900441 ("KVM: MMU: check guest CR3 reserved bits based on
> >> its physical address width")' removes the bit 63 checking
> >> unconditionally. This patch fixes it by checking bit 63 of CR3
> >> when PCIDE bit is not set in CR4.
> >>
> >> Fixes: d1cd3ce900441 (KVM: MMU: check guest CR3 reserved bits based
> on
> >> its physical address width)
> >> Cc: Paolo Bonzini <pbonzini@...hat.com>
> >> Cc: Radim Krčmář <rkrcmar@...hat.com>
> >> Cc: Junaid Shahid <junaids@...gle.com>
> >> Signed-off-by: Wanpeng Li <wanpengli@...cent.com>
> >> ---
> >>  arch/x86/kvm/emulate.c | 4 +++-
> >>  arch/x86/kvm/x86.c     | 2 +-
> >>  2 files changed, 4 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> >> index b3705ae..b21f427 100644
> >> --- a/arch/x86/kvm/emulate.c
> >> +++ b/arch/x86/kvm/emulate.c
> >> @@ -4189,7 +4189,9 @@ static int check_cr_write(struct
> >> x86_emulate_ctxt *ctxt)
> >>                               maxphyaddr = eax & 0xff;
> >>                       else
> >>                               maxphyaddr = 36;
> >> -                     rsvd = rsvd_bits(maxphyaddr, 62);
> >> +                     if (ctxt->ops->get_cr(ctxt, 4) &
> X86_CR4_PCIDE)
> >> +                             new_val &= ~CR3_PCID_INVD;
> >> +                     rsvd = rsvd_bits(maxphyaddr, 63);
> >
> > I would prefer instead to do this:
> > if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PCIDE)
> >     rsvd &= ~CR3_PCID_INVD;
> > It makes more sense as opposed to temporary removing the
> CR3_PCID_INVD bit from new_val.
> 
> It tries the same way
> https://urldefense.proofpoint.com/v2/url?u=https-3A__git.kernel.org_pub_scm_virt_kvm_kvm.git_commit_-3Fid-3Dc19986fea873f3c745122bf79013a872a190f212&d=DwIFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=Jk6Q8nNzkQ6LJ6g42qARkg6ryIDGQr-yKXPNGZbpTx0&m=r52WDgKBorUHwe_B_5Nw2Le_F_E0ne8lqqWW6n-3bSg&s=ufTcXvhhAMkY3XP6gAx-HiKCT8ynPWo2fs2z9DqCzM4&e=
> pointed out.
> 
> Regards,
> Wanpeng Li

Yes but there it makes sense as new CR3 value should not have bit 63 set in vcpu->arch.cr3.

> 
> >
> >>               }
> >>
> >>               if (new_val & rsvd)
> >> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> >> index 87e4805..9a90668 100644
> >> --- a/arch/x86/kvm/x86.c
> >> +++ b/arch/x86/kvm/x86.c
> >> @@ -863,7 +863,7 @@ int kvm_set_cr3(struct kvm_vcpu *vcpu,
> unsigned
> >> long cr3)
> >>       }
> >>
> >>       if (is_long_mode(vcpu) &&
> >> -         (cr3 & rsvd_bits(cpuid_maxphyaddr(vcpu), 62)))
> >> +         (cr3 & rsvd_bits(cpuid_maxphyaddr(vcpu), 63)))
> >>               return 1;
> >>       else if (is_pae(vcpu) && is_paging(vcpu) &&
> >>                  !load_pdptrs(vcpu, vcpu->arch.walk_mmu, cr3))
> >> --
> >> 2.7.4

Powered by blists - more mailing lists