lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 23 Oct 2020 11:22:23 +0200
From:   Paolo Bonzini <pbonzini@...hat.com>
To:     Sean Christopherson <sean.j.christopherson@...el.com>,
        Jim Mattson <jmattson@...gle.com>
Cc:     Mohammed Gamal <mgamal@...hat.com>, kvm list <kvm@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Vitaly Kuznetsov <vkuznets@...hat.com>,
        Wanpeng Li <wanpengli@...cent.com>,
        Joerg Roedel <joro@...tes.org>
Subject: Re: [PATCH v3 7/9] KVM: VMX: Add guest physical address check in EPT
 violation and misconfig

On 23/10/20 05:14, Sean Christopherson wrote:
>>>> +
>>>> +       /*
>>>> +        * Check that the GPA doesn't exceed physical memory limits, as that is
>>>> +        * a guest page fault.  We have to emulate the instruction here, because
>>>> +        * if the illegal address is that of a paging structure, then
>>>> +        * EPT_VIOLATION_ACC_WRITE bit is set.  Alternatively, if supported we
>>>> +        * would also use advanced VM-exit information for EPT violations to
>>>> +        * reconstruct the page fault error code.
>>>> +        */
>>>> +       if (unlikely(kvm_mmu_is_illegal_gpa(vcpu, gpa)))
>>>> +               return kvm_emulate_instruction(vcpu, 0);
>>>> +
>>> Is kvm's in-kernel emulator up to the task? What if the instruction in
>>> question is AVX-512, or one of the myriad instructions that the
>>> in-kernel emulator can't handle? Ice Lake must support the advanced
>>> VM-exit information for EPT violations, so that would seem like a
>>> better choice.
>>>
>> Anyone?
>
> Using "advanced info" if it's supported seems like the way to go.  Outright
> requiring it is probably overkill; if userspace wants to risk having to kill a
> (likely broken) guest, so be it.

Yeah, the instruction is expected to page-fault here.  However the
comment is incorrect and advanced information does not help here.

The problem is that page fault error code bits cannot be reconstructed
from bits 0..2 of the EPT violation exit qualification, if bit 8 is
clear in the exit qualification (that is, if the access causing the EPT
violation is to a paging-structure entry).  In that case bits 0..2 refer
to the paging-structure access rather than to the final access.  In fact
advanced information is not available at all for paging-structure access
EPT violations.

Thanks,

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ