lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 28 Apr 2016 14:32:27 -0600
From:	"Bruce Rogers" <brogers@...e.com>
To:	"Radim Kr*má*" <rkrcmar@...hat.com>
Cc:	<namit@...technion.ac.il>, <kvm@...r.kernel.org>,
	<linux-kernel@...r.kernel.org>, <stable@...r.kernel.org>
Subject: Re: [PATCH] KVM: x86: fix ordering of cr0 initialization code
 in vmx_cpu_reset

>>> On 4/28/2016 at 01:08 PM, Radim Kr*má* <rkrcmar@...hat.com> wrote: 
> 2016-04-22 12:56-0600, Bruce Rogers:
>> Commit d28bc9dd25ce reversed the order of two lines which initialize cr0,
>> allowing the current (old) cr0 value to mess up vcpu initialization.
>> This was observed in the checks for cr0 X86_CR0_WP bit in the context of
>> kvm_mmu_reset_context(). Besides, setting vcpu->arch.cr0 after vmx_set_cr0()
>> is completely redundant. Change the order back to ensure proper vcpu
>> initialization.
>> 
>> The combination of booting with ovmf firmware when guest vcpus > 1 and kvm's
>> ept=N option being set results in a VM-entry failure. This patch fixes that.
> 
> Greg pointed out missing,
>   Cc: stable@...r.kernel.org
> when stable@...r.kernel.org was Cc'd. Adding
>   Fixes: d28bc9dd25ce ("KVM: x86: INIT and reset sequences are different")
> would be nice too (even when it is redundant).
> 
>> Signed-off-by: Bruce Rogers <brogers@...e.com>
>> ---
>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>> @@ -5046,8 +5046,8 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool 
> init_event)
>>  	cr0 = X86_CR0_NW | X86_CR0_CD | X86_CR0_ET;
>> -	vmx_set_cr0(vcpu, cr0); /* enter rmode */
>>  	vmx->vcpu.arch.cr0 = cr0;
>> +	vmx_set_cr0(vcpu, cr0); /* enter rmode */
> 
> So vmx_set_cr0() has a code that depends on vmx->vcpu.arch.cr0 being
> already set the to new value.  Do you know what function is it?

The one which I partly referred to above is the following:
vmx_set_cr0() ->
enter_rmode() ->
kvm_mmu_reset_context() ->
init_kvm_softmmu() ->
kvm_init_shadow_mmu() ->
is_write_protected()
which uses the CR0 WP bit.
There may be other problematic references. I haven't tried to do an
exhaustive search.

> 
> I think we better set vmx->vcpu.arch.cr0 early in vmx_set_cr0().
> Or do other callsites somehow depend on the old cr0 value?

You may be right that that is a better overall fix. I was simply trying
to undo the erroneous lines in the commit which broke things, partly
to have a patch better suited for applying to stable releases.

I'll send a v2 shortly with your suggested additions to the patch header.

Thanks,

Bruce

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ