[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200428003317.GC14870@linux.intel.com>
Date: Mon, 27 Apr 2020 17:33:17 -0700
From: Sean Christopherson <sean.j.christopherson@...el.com>
To: Jim Mattson <jmattson@...gle.com>
Cc: Paolo Bonzini <pbonzini@...hat.com>,
LKML <linux-kernel@...r.kernel.org>,
kvm list <kvm@...r.kernel.org>, Joerg Roedel <joro@...tes.org>,
everdox@...il.com
Subject: Re: [PATCH] KVM: x86: handle wrap around 32-bit address space
On Mon, Apr 27, 2020 at 05:28:54PM -0700, Jim Mattson wrote:
> On Mon, Apr 27, 2020 at 9:59 AM Paolo Bonzini <pbonzini@...hat.com> wrote:
> > @@ -1568,8 +1568,17 @@ static int skip_emulated_instruction(struct kvm_vcpu *vcpu)
> > */
> > if (!static_cpu_has(X86_FEATURE_HYPERVISOR) ||
> > to_vmx(vcpu)->exit_reason != EXIT_REASON_EPT_MISCONFIG) {
> > - rip = kvm_rip_read(vcpu);
> > - rip += vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
> > + orig_rip = kvm_rip_read(vcpu);
> > + rip = orig_rip + vmcs_read32(VM_EXIT_INSTRUCTION_LEN);
> > +#ifdef CONFIG_X86_64
> > + /*
> > + * We need to mask out the high 32 bits of RIP if not in 64-bit
> > + * mode, but just finding out that we are in 64-bit mode is
> > + * quite expensive. Only do it if there was a carry.
> > + */
> > + if (unlikely(((rip ^ orig_rip) >> 31) == 3) && !is_64_bit_mode(vcpu))
>
> Is it actually possible to wrap around 0 without getting a segment
> limit violation, or is it only possible to wrap *to* 0 (i.e. rip==1ull
> << 32)?
Arbitrary wrap is possible. Limit checks are disabled for flat segs, it's
a legacy bug^W feature.
Powered by blists - more mailing lists