lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 27 Feb 2020 19:00:33 +0100
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     Mohammed Gamal <mgamal@...hat.com>, kvm@...r.kernel.org
Cc:     sean.j.christopherson@...el.com, vkuznets@...hat.com,
        wanpengli@...cent.com, jmattson@...gle.com, joro@...tes.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 5/5] KVM: x86: mmu: Add guest physical address check in
 translate_gpa()

On 27/02/20 18:23, Mohammed Gamal wrote:
> In case of running a guest with 4-level page tables on a 5-level page
> table host, it might happen that a guest might have a physical address
> with reserved bits set, but the host won't see that and trap it.
> 
> Hence, we need to check page faults' physical addresses against the guest's
> maximum physical memory and if it's exceeded, we need to add
> the PFERR_RSVD_MASK bits to the PF's error code.

You can just set it to PFERR_RSVD_MASK | PFERR_PRESENT_MASK (no need to
use an "|") and return UNMAPPED_GBA.  But I would have thought that this
is not needed and the

                if (unlikely(FNAME(is_rsvd_bits_set)(mmu, pte, walker->level))) {
                        errcode = PFERR_RSVD_MASK | PFERR_PRESENT_MASK;
                        goto error;
                }

code would have catch the reserved bits.

> Also make sure the error code isn't overwritten by the page table walker.

Returning UNMAPPED_GVA would remove that as well.

I'm not sure this patch is enough however.  For a usermode access with
"!pte.u pte.40" for example you should be getting:

- a #PF with PRESENT|USER error code on a machine with physical address
width >=41; in this case you don't get an EPT violation or misconfig.

- a #PF with RSVD error code on a machine with physical address with <41.

You can enable verbose mode in access.c to see if this case is being generated,
and if so debug it.

The solution for this would be to trap page faults and do a page table
walk (with vcpu->arch.walk_mmu->gva_to_gpa) to find the correct error
code.

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ