lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <55C09C50.7040002@linux.intel.com>
Date:	Tue, 4 Aug 2015 19:04:48 +0800
From:	Xiao Guangrong <guangrong.xiao@...ux.intel.com>
To:	pbonzini@...hat.com
Cc:	gleb@...nel.org, mtosatti@...hat.com, kvm@...r.kernel.org,
	linux-kernel@...r.kernel.org, Pavel Shirshov <ru.pchel@...il.com>
Subject: Re: [PATCH 0/9] KVM: MMU: fix and improve validation of mmio page
 fault


CCed Pavel Shirshov <ru.pchel@...il.com>

Sorry, git tool missed to CC mail to the person tagged with "Reported-by"
and "Tested-by". :(

On 08/04/2015 06:59 PM, Xiao Guangrong wrote:
> Current code validating mmio #PF is buggy, it was spotted by Pavel
> Shirshov, the bug is that qemu complained with "KVM: unknown exit,
> hardware reason 31" and KVM shown these info:
> [84245.284948] EPT: Misconfiguration.
> [84245.285056] EPT: GPA: 0xfeda848
> [84245.285154] ept_misconfig_inspect_spte: spte 0x5eaef50107 level 4
> [84245.285344] ept_misconfig_inspect_spte: spte 0x5f5fadc107 level 3
> [84245.285532] ept_misconfig_inspect_spte: spte 0x5141d18107 level 2
> [84245.285723] ept_misconfig_inspect_spte: spte 0x52e40dad77 level 1
>
> This is because we got a mmio #PF and the handler see the mmio spte
> becomes normal (points to the ram page)
>
> However, this is valid after introducing fast mmio spte invalidation which
> increases the generation-number instead of zapping mmio sptes, a example
> is as follows:
> 1. QEMU drops mmio region by adding a new memslot
> 2. invalidate all mmio sptes
> 3.
>
>          VCPU 0                        VCPU 1
>      access the invalid mmio spte
>
>                              access the region originally was MMIO before
>                              set the spte to the normal ram map
>
>      mmio #PF
>      check the spte and see it becomes normal ram mapping !!!
>
> The first patch simply fixes the bug by dropping the validation in mmio
> handler which is good for backport
>
> Later patches enable fully check reserved bits for shadow page table
> entries, since shadow page table and guest page table have the some
> format, this patches reuse the logic which checks reserved bits on
> guest pte to check sptes
>
> Xiao Guangrong (9):
>    KVM: MMU: fix validation of mmio page fault
>    KVM: MMU: move FNAME(is_rsvd_bits_set) to mmu.c
>    KVM: MMU: introduce rsvd_bits_validate
>    KVM: MMU: split reset_rsvds_bits_mask
>    KVM: MMU: split reset_rsvds_bits_mask_ept
>    KVM: MMU: introduce the framework to check reserved bits on sptes
>    KVM: MMU: introduce is_shadow_rsvd_bits_set()
>    KVM: MMU: fully check reserved bits for sptes
>    KVM: VMX: drop ept misconfig check
>
>   arch/x86/include/asm/kvm_host.h |   9 +-
>   arch/x86/kvm/mmu.c              | 284 ++++++++++++++++++++++++----------------
>   arch/x86/kvm/mmu.h              |   4 +-
>   arch/x86/kvm/paging_tmpl.h      |  13 +-
>   arch/x86/kvm/svm.c              |   1 +
>   arch/x86/kvm/vmx.c              |  74 +----------
>   arch/x86/kvm/x86.c              |   3 +-
>   7 files changed, 187 insertions(+), 201 deletions(-)
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ