lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Apr 2020 17:33:17 -0700 From: Sean Christopherson <sean.j.christopherson@...el.com> To: Jim Mattson <jmattson@...gle.com> Cc: Paolo Bonzini <pbonzini@...hat.com>, LKML <linux-kernel@...r.kernel.org>, kvm list <kvm@...r.kernel.org>, Joerg Roedel <joro@...tes.org>, everdox@...il.com Subject: Re: [PATCH] KVM: x86: handle wrap around 32-bit address space On Mon, Apr 27, 2020 at 05:28:54PM -0700, Jim Mattson wrote: > On Mon, Apr 27, 2020 at 9:59 AM Paolo Bonzini <pbonzini@...hat.com> wrote: > > @@ -1568,8 +1568,17 @@ static int skip_emulated_instruction(struct kvm_vcpu *vcpu) > > */ > > if (!static_cpu_has(X86_FEATURE_HYPERVISOR) || > > to_vmx(vcpu)->exit_reason != EXIT_REASON_EPT_MISCONFIG) { > > - rip = kvm_rip_read(vcpu); > > - rip += vmcs_read32(VM_EXIT_INSTRUCTION_LEN); > > + orig_rip = kvm_rip_read(vcpu); > > + rip = orig_rip + vmcs_read32(VM_EXIT_INSTRUCTION_LEN); > > +#ifdef CONFIG_X86_64 > > + /* > > + * We need to mask out the high 32 bits of RIP if not in 64-bit > > + * mode, but just finding out that we are in 64-bit mode is > > + * quite expensive. Only do it if there was a carry. > > + */ > > + if (unlikely(((rip ^ orig_rip) >> 31) == 3) && !is_64_bit_mode(vcpu)) > > Is it actually possible to wrap around 0 without getting a segment > limit violation, or is it only possible to wrap *to* 0 (i.e. rip==1ull > << 32)? Arbitrary wrap is possible. Limit checks are disabled for flat segs, it's a legacy bug^W feature.
Powered by blists - more mailing lists