| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Feb 2020 14:36:22 -0800
From: Sean Christopherson <sean.j.christopherson@...el.com>
To: Jim Mattson <jmattson@...gle.com>
Cc: Mohammed Gamal <mgamal@...hat.com>, kvm list <kvm@...r.kernel.org>,
Paolo Bonzini <pbonzini@...hat.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Wanpeng Li <wanpengli@...cent.com>,
Joerg Roedel <joro@...tes.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 2/5] KVM: VMX: Add guest physical address check in EPT
violation and misconfig
On Thu, Feb 27, 2020 at 09:55:32AM -0800, Jim Mattson wrote:
> On Thu, Feb 27, 2020 at 9:23 AM Mohammed Gamal <mgamal@...hat.com> wrote:
> >
> > Check guest physical address against it's maximum physical memory. If
> Nit: "its," without an apostrophe.
>
> > the guest's physical address exceeds the maximum (i.e. has reserved bits
> > set), inject a guest page fault with PFERR_RSVD_MASK.
Wish I had actually read this series when it first flew by, just spent
several hours debugging this exact thing when running the "access" test.
> > Signed-off-by: Mohammed Gamal <mgamal@...hat.com>
> > ---
> > arch/x86/kvm/vmx/vmx.c | 13 +++++++++++++
> > 1 file changed, 13 insertions(+)
> >
> > diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> > index 63aaf44edd1f..477d196aa235 100644
> > --- a/arch/x86/kvm/vmx/vmx.c
> > +++ b/arch/x86/kvm/vmx/vmx.c
> > @@ -5162,6 +5162,12 @@ static int handle_ept_violation(struct kvm_vcpu *vcpu)
> > gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS);
> > trace_kvm_page_fault(gpa, exit_qualification);
> >
> > + /* Check if guest gpa doesn't exceed physical memory limits */
> > + if (gpa >= (1ull << cpuid_maxphyaddr(vcpu))) {
Add a helper for this, it's easier than copy-pasting the comment and code
everywhere. BIT_ULL() is also handy.
static inline bool kvm_mmu_is_illegal_gpa(gpa_t gpa)
{
return (gpa < BIT_ULL(cpuid_maxphyaddr(vcpu)));
}
> > + kvm_inject_rsvd_bits_pf(vcpu, gpa);
>
> Even if PFERR_RSVD_MASK is set in the page fault error code, shouldn't
> we set still conditionally set:
> PFERR_WRITE_MASK - for an attempted write
> PFERR_USER_MASK - for a usermode access
> PFERR_FETCH_MASK - for an instruction fetch
Yep. Move this down below where error_code is calculated. Then the code
should be something like this. Not fun to handle this with EPT :-(
Note, VMCS.GUEST_LINEAR_ADDRESS isn't guaranteed to be accurate, e.g. if
the guest is putting bad gpas into Intel PT, but I don't think we have any
choice but to blindly cram it in and hope for the best.
if (unlikely(kvm_mmu_is_illegal_gpa(vcpu, gpa))) {
/* Morph the EPT error code into a #PF error code. */
error_code &= ~(PFERR_USER_MASK | PFERR_GUEST_FINAL_MASK |
PFERR_GUEST_PAGE_MASK);
if (vmx_get_cpl(vcpu) == 3)
error_code |= PFERR_USER_MASK;
error_code |= PFERR_PRESENT_MASK;
kvm_inject_rsvd_bits_pf(vcpu, vmcs_readl(GUEST_LINEAR_ADDRESS),
error_code);
return 1;
}
> > + return 1;
> > + }
> > +
> > /* Is it a read fault? */
> > error_code = (exit_qualification & EPT_VIOLATION_ACC_READ)
> > ? PFERR_USER_MASK : 0;
> > @@ -5193,6 +5199,13 @@ static int handle_ept_misconfig(struct kvm_vcpu *vcpu)
> > * nGPA here instead of the required GPA.
> > */
> > gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS);
> > +
> > + /* Check if guest gpa doesn't exceed physical memory limits */
> > + if (gpa >= (1ull << cpuid_maxphyaddr(vcpu))) {
> > + kvm_inject_rsvd_bits_pf(vcpu, gpa);
>
> And here as well?
This shouldn't happen. If KVM creates a bad EPTE for an illegal GPA, we
done goofed up. I.e.
if (WARN_ON_ONCE(kvm_mmu_is_illegal_gpa(vcpu, gpa))) {
vcpu->run->blah = blah;
return 0;
}
>
> > + return 1;
> > + }
> > +
> > if (!is_guest_mode(vcpu) &&
> > !kvm_io_bus_write(vcpu, KVM_FAST_MMIO_BUS, gpa, 0, NULL)) {
> > trace_kvm_fast_mmio(gpa);
> > --
> > 2.21.1
> >
Powered by blists - more mailing lists