lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOLK0pwczbQrno_vc2Uj6czyELyiEHeCAoi2SgDvvKcRNiijiw@mail.gmail.com>
Date:   Fri, 8 Dec 2017 16:28:30 +0800
From:   Tianyu Lan <lantianyu1986@...il.com>
To:     Jim Mattson <jmattson@...gle.com>
Cc:     Wanpeng Li <kernellwp@...il.com>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        syzbot 
        <bot+75375385991b4f8c599704a10849863c586ea284@...kaller.appspotmail.com>,
        "H. Peter Anvin" <hpa@...or.com>, kvm <kvm@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        Ingo Molnar <mingo@...hat.com>,
        Paolo Bonzini <pbonzini@...hat.com>,
        Radim Krcmar <rkrcmar@...hat.com>,
        syzkaller-bugs@...glegroups.com,
        Thomas Gleixner <tglx@...utronix.de>,
        "the arch/x86 maintainers" <x86@...nel.org>
Subject: Re: WARNING in x86_emulate_insn

Hi Jim&Wanpeng:
         Thanks for your help.

2017-12-08 5:25 GMT+08:00 Jim Mattson <jmattson@...gle.com>:
> Try disabling the module parameter, "unrestricted_guest." Make sure
> that the module parameter, "emulate_invalid_guest_state" is enabled.
> This combination allows userspace to feed invalid guest state into the
> in-kernel emulator.

Yes, you are right. I need to disable unrestricted_guest to reproduce the issue.

I find this is pop instruction emulation issue. According "SDM VOL2,
chapter INSTRUCTION
SET REFERENCE. POP—Pop a Value from the Stack"

Protected Mode Exceptions
#GP(0) If attempt is made to load SS register with NULL segment selector.

This test case hits it but current code doesn't check such case.
The following patch can fix the issue.

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index abe74f7..e2ac5cc 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1844,6 +1844,9 @@ static int emulate_pop(struct x86_emulate_ctxt *ctxt,
        int rc;
        struct segmented_address addr;

+       if ( !get_segment_selector(ctxt, VCPU_SREG_SS))
+               return emulate_gp(ctxt, 0);
+
        addr.ea = reg_read(ctxt, VCPU_REGS_RSP) & stack_mask(ctxt);
        addr.seg = VCPU_SREG_SS;
        rc = segmented_read(ctxt, addr, dest, len);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ