lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 05 Sep 2019 10:11:38 +0100
From:   Marc Zyngier <maz@...nel.org>
To:     Heinrich Schuchardt <xypron.glpk@....de>
Cc:     James Morse <james.morse@....com>,
        Julien Thierry <julien.thierry@....com>,
        Suzuki K Pouloze <suzuki.poulose@....com>,
        Peter Maydell <peter.maydell@...aro.org>,
        Stefan Hajnoczi <stefanha@...hat.com>,
        "Daniel P . Berrangé" <berrange@...hat.com>,
        linux-arm-kernel@...ts.infradead.org, kvmarm@...ts.cs.columbia.edu,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/1] KVM: inject data abort if instruction cannot be decoded

On Thu, 05 Sep 2019 09:28:42 +0100,
Heinrich Schuchardt <xypron.glpk@....de> wrote:
> 
> On 9/5/19 10:03 AM, Marc Zyngier wrote:
> > [Please use my kernel.org address. My arm.com address will disappear shortly]
> > 
> > On Wed, 04 Sep 2019 19:07:36 +0100,
> > Heinrich Schuchardt <xypron.glpk@....de> wrote:
> >> 
> >> If an application tries to access memory that is not mapped, an error
> >> ENOSYS, "load/store instruction decoding not implemented" may occur.
> >> QEMU will hang with a register dump.
> >> 
> >> Instead create a data abort that can be handled gracefully by the
> >> application running in the virtual environment.
> >> 
> >> Now the virtual machine can react to the event in the most appropriate
> >> way - by recovering, by writing an informative log, or by rebooting.
> >> 
> >> Signed-off-by: Heinrich Schuchardt <xypron.glpk@....de>
> >> ---
> >>   virt/kvm/arm/mmio.c | 4 ++--
> >>   1 file changed, 2 insertions(+), 2 deletions(-)
> >> 
> >> diff --git a/virt/kvm/arm/mmio.c b/virt/kvm/arm/mmio.c
> >> index a8a6a0c883f1..0cbed7d6a0f4 100644
> >> --- a/virt/kvm/arm/mmio.c
> >> +++ b/virt/kvm/arm/mmio.c
> >> @@ -161,8 +161,8 @@ int io_mem_abort(struct kvm_vcpu *vcpu, struct kvm_run *run,
> >>   		if (ret)
> >>   			return ret;
> >>   	} else {
> >> -		kvm_err("load/store instruction decoding not implemented\n");
> >> -		return -ENOSYS;
> >> +		kvm_inject_dabt(vcpu, kvm_vcpu_get_hfar(vcpu));
> >> +		return 1;
> > 
> > How can you tell that the access would fault? You have no idea at that
> > stage (the kernel doesn't know about the MMIO ranges that userspace
> > handles). All you know is that you're faced with a memory access that
> > you cannot emulate in the kernel. Injecting a data abort at that stage
> > is not something that the architecture allows.
> > 
> > If you want to address this, consider forwarding the access to
> > userspace. You'll only need an instruction decoder (supporting T1, T2,
> > A32 and A64) and a S1 page table walker (one per page table format,
> > all three of them) to emulate the access (having taken care of
> > stopping all the other vcpus to make sure there is no concurrent
> > modification of the page tables). You'll then be able to return the
> > result of the access back to the kernel.
> 
> If I understand you right, the problem has to be fixed in QEMU and not
> in KVM.

It is a shared responsibility.

> Is there an example of such a forwarding already available in QEMU?

Yes. That's how we ask userspace (QEMU) to perform a MMIO access on
behalf of the guest (see how the run structure is populated and the
vcpu thread returns to userspace).

> > 
> > Of course, the best thing would be to actually fix the guest so that
> > it doesn't use non-emulatable MMIO accesses. In general, that the sign
> > of a bug in low-level accessors.
> 
> My problem was to find out where in my guest (U-Boot running UEFI SCT)
> the problem occurred. With this patch U-Boot gave me the relative
> address in Shell.efi and I was able to locate what was wrong in U-Boot's
> UEFI implementation.

I understand that there is a need for more precise information. I'm
just wary of adding debug features that become something that people
rely on, despite being in contradiction with the architecture.

I can help with the kernel side of the reporting, should someone want
to tackle the userspace side of it.

Thanks,

	M.

-- 
Jazz is not dead, it just smells funny.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ