lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 27 Apr 2020 17:33:17 -0700
From:   Sean Christopherson <sean.j.christopherson@...el.com>
To:     Jim Mattson <jmattson@...gle.com>
Cc:     Paolo Bonzini <pbonzini@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>,
        kvm list <kvm@...r.kernel.org>, Joerg Roedel <joro@...tes.org>,
        everdox@...il.com
Subject: Re: [PATCH] KVM: x86: handle wrap around 32-bit address space

On Mon, Apr 27, 2020 at 05:28:54PM -0700, Jim Mattson wrote:
> On Mon, Apr 27, 2020 at 9:59 AM Paolo Bonzini <pbonzini@...hat.com> wrote:
> > @@ -1568,8 +1568,17 @@ static int skip_emulated_instruction(struct kvm_vcpu *vcpu)
> >          */
> >         if (!static_cpu_has(X86_FEATURE_HYPERVISOR) ||
> >             to_vmx(vcpu)->exit_reason != EXIT_REASON_EPT_MISCONFIG) {
> > -               rip = kvm_rip_read(vcpu);
> > -               rip += vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
> > +               orig_rip = kvm_rip_read(vcpu);
> > +               rip = orig_rip + vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
> > +#ifdef CONFIG_X86_64
> > +               /*
> > +                * We need to mask out the high 32 bits of RIP if not in 64-bit
> > +                * mode, but just finding out that we are in 64-bit mode is
> > +                * quite expensive.  Only do it if there was a carry.
> > +                */
> > +               if (unlikely(((rip ^ orig_rip) >> 31) == 3) && !is_64_bit_mode(vcpu))
> 
> Is it actually possible to wrap around 0 without getting a segment
> limit violation, or is it only possible to wrap *to* 0 (i.e. rip==1ull
> << 32)?

Arbitrary wrap is possible.  Limit checks are disabled for flat segs, it's
a legacy bug^W feature.

Powered by blists - more mailing lists