| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200323154555.GH28711@linux.intel.com>
Date: Mon, 23 Mar 2020 08:45:55 -0700
From: Sean Christopherson <sean.j.christopherson@...el.com>
To: Vitaly Kuznetsov <vkuznets@...hat.com>
Cc: Paolo Bonzini <pbonzini@...hat.com>,
Wanpeng Li <wanpengli@...cent.com>,
Jim Mattson <jmattson@...gle.com>,
Joerg Roedel <joro@...tes.org>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, Ben Gardon <bgardon@...gle.com>,
Junaid Shahid <junaids@...gle.com>,
Liran Alon <liran.alon@...cle.com>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
John Haxby <john.haxby@...cle.com>,
Miaohe Lin <linmiaohe@...wei.com>,
Tom Lendacky <thomas.lendacky@....com>
Subject: Re: [PATCH v3 02/37] KVM: nVMX: Validate the EPTP when emulating
INVEPT(EXTENT_CONTEXT)
On Mon, Mar 23, 2020 at 03:51:17PM +0100, Vitaly Kuznetsov wrote:
> Sean Christopherson <sean.j.christopherson@...el.com> writes:
>
> > Signal VM-Fail for the single-context variant of INVEPT if the specified
> > EPTP is invalid. Per the INEVPT pseudocode in Intel's SDM, it's subject
> > to the standard EPT checks:
> >
> > If VM entry with the "enable EPT" VM execution control set to 1 would
> > fail due to the EPTP value then VMfail(Invalid operand to INVEPT/INVVPID);
> >
> > Fixes: bfd0a56b90005 ("nEPT: Nested INVEPT")
> > Signed-off-by: Sean Christopherson <sean.j.christopherson@...el.com>
> > ---
> > arch/x86/kvm/vmx/nested.c | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> > index 8578513907d7..f3774cef4fd4 100644
> > --- a/arch/x86/kvm/vmx/nested.c
> > +++ b/arch/x86/kvm/vmx/nested.c
> > @@ -5156,8 +5156,12 @@ static int handle_invept(struct kvm_vcpu *vcpu)
> > }
> >
> > switch (type) {
> > - case VMX_EPT_EXTENT_GLOBAL:
> > case VMX_EPT_EXTENT_CONTEXT:
> > + if (!nested_vmx_check_eptp(vcpu, operand.eptp))
> > + return nested_vmx_failValid(vcpu,
> > + VMXERR_INVALID_OPERAND_TO_INVEPT_INVVPID);
>
> I was going to ask "and we don't seem to check that current nested VMPTR
> is valid, how can we know that nested_vmx_failValid() is the right
> VMfail() to use" but then I checked our nested_vmx_failValid() and there
> is a fallback there:
>
> if (vmx->nested.current_vmptr == -1ull && !vmx->nested.hv_evmcs)
> return nested_vmx_failInvalid(vcpu);
>
> so this is a non-issue. My question, however, transforms into "would it
> make sense to introduce nested_vmx_fail() implementing the logic from
> SDM:
>
> VMfail(ErrorNumber):
> IF VMCS pointer is valid
> THEN VMfailValid(ErrorNumber);
> ELSE VMfailInvalid;
> FI;
>
Hmm, I wouldn't be opposed to such a wrapper. It would pair with
nested_vmx_succeed().
>
> > + fallthrough;
> > + case VMX_EPT_EXTENT_GLOBAL:
> > /*
> > * TODO: Sync the necessary shadow EPT roots here, rather than
> > * at the next emulated VM-entry.
>
> Reviewed-by: Vitaly Kuznetsov <vkuznets@...hat.com>
>
> --
> Vitaly
>
Powered by blists - more mailing lists