lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Jan 2021 15:00:09 -0500 From: Bandan Das <bsd@...hat.com> To: Sean Christopherson <seanjc@...gle.com> Cc: Wei Huang <wei.huang2@....com>, kvm@...r.kernel.org, linux-kernel@...r.kernel.org, pbonzini@...hat.com, vkuznets@...hat.com, joro@...tes.org, bp@...en8.de, tglx@...utronix.de, mingo@...hat.com, x86@...nel.org, jmattson@...gle.com, wanpengli@...cent.com, dgilbert@...hat.com, mlevitsk@...hat.com Subject: Re: [PATCH 1/2] KVM: x86: Add emulation support for #GP triggered by VM instructions Sean Christopherson <seanjc@...gle.com> writes: ... >> - if ((emulation_type & EMULTYPE_VMWARE_GP) && >> - !is_vmware_backdoor_opcode(ctxt)) { >> - kvm_queue_exception_e(vcpu, GP_VECTOR, 0); >> - return 1; >> + if (emulation_type & EMULTYPE_PARAVIRT_GP) { >> + vminstr = is_vm_instr_opcode(ctxt); >> + if (!vminstr && !is_vmware_backdoor_opcode(ctxt)) { >> + kvm_queue_exception_e(vcpu, GP_VECTOR, 0); >> + return 1; >> + } >> + if (vminstr) >> + return vminstr; > > I'm pretty sure this doesn't correctly handle a VM-instr in L2 that hits a bad > L0 GPA and that L1 wants to intercept. The intercept bitmap isn't checked until > x86_emulate_insn(), and the vm*_interception() helpers expect nested VM-Exits to > be handled further up the stack. > So, the condition is that L2 executes a vmload and #GPs on a reserved address, jumps to L0 - L0 doesn't check if L1 has asked for the instruction to be intercepted and goes on with emulating vmload and returning back to L2 ? >> } >> >> /* >> -- >> 2.27.0 >>
Powered by blists - more mailing lists