[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YS+lpeqHHgoA6W8A@google.com>
Date: Wed, 1 Sep 2021 16:09:09 +0000
From: Sean Christopherson <seanjc@...gle.com>
To: Vitaly Kuznetsov <vkuznets@...hat.com>
Cc: Paolo Bonzini <pbonzini@...hat.com>,
Wanpeng Li <wanpengli@...cent.com>,
Jim Mattson <jmattson@...gle.com>,
Joerg Roedel <joro@...tes.org>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzbot+200c08e88ae818f849ce@...kaller.appspotmail.com
Subject: Re: [PATCH 1/3] Revert "KVM: x86: mmu: Add guest physical address
check in translate_gpa()"
On Wed, Sep 01, 2021, Vitaly Kuznetsov wrote:
> Sean Christopherson <seanjc@...gle.com> writes:
>
> > Revert a misguided illegal GPA check when "translating" a non-nested GPA.
> > The check is woefully incomplete as it does not fill in @exception as
> > expected by all callers, which leads to KVM attempting to inject a bogus
> > exception, potentially exposing kernel stack information in the process.
> >
> > WARNING: CPU: 0 PID: 8469 at arch/x86/kvm/x86.c:525 exception_type+0x98/0xb0 arch/x86/kvm/x86.c:525
> > CPU: 1 PID: 8469 Comm: syz-executor531 Not tainted 5.14.0-rc7-syzkaller #0
> > RIP: 0010:exception_type+0x98/0xb0 arch/x86/kvm/x86.c:525
> > Call Trace:
> > x86_emulate_instruction+0xef6/0x1460 arch/x86/kvm/x86.c:7853
> > kvm_mmu_page_fault+0x2f0/0x1810 arch/x86/kvm/mmu/mmu.c:5199
> > handle_ept_misconfig+0xdf/0x3e0 arch/x86/kvm/vmx/vmx.c:5336
> > __vmx_handle_exit arch/x86/kvm/vmx/vmx.c:6021 [inline]
> > vmx_handle_exit+0x336/0x1800 arch/x86/kvm/vmx/vmx.c:6038
> > vcpu_enter_guest+0x2a1c/0x4430 arch/x86/kvm/x86.c:9712
> > vcpu_run arch/x86/kvm/x86.c:9779 [inline]
> > kvm_arch_vcpu_ioctl_run+0x47d/0x1b20 arch/x86/kvm/x86.c:10010
> > kvm_vcpu_ioctl+0x49e/0xe50 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3652
> >
> > The bug has escaped notice because practically speaking the GPA check is
> > useless. The GPA check in question only comes into play when KVM is
> > walking guest page tables (or "translating" CR3), and KVM already handles
> > illegal GPA checks by setting reserved bits in rsvd_bits_mask for each
> > PxE, or in the case of CR3 for loading PTDPTRs, manually checks for an
> > illegal CR3. This particular failure doesn't hit the existing reserved
> > bits checks because syzbot sets guest.MAXPHYADDR=1, and IA32 architecture
> > simply doesn't allow for such an absurd MAXPHADDR, e.g. 32-bit paging
>
> "MAXPHYADDR"
Gah, I'm pretty sure I mistype that 50% of the time.
> I'm, however, wondering if it would also make sense to forbid setting
> nonsensical MAXPHYADDR, something like (compile-only tested):
That crossed my mind as well, but I actually think letting userspace provide
garbage is a good thing in this case. From a kernel-safety perspective, KVM
does not and _should_ not make any assumptions about guest.MAXPHYADDR. IMO, the
added test coverage gaind by allowing truly outrageous values outweighs the
potential danger, e.g. this bogus code would likely have gone unnoticed forever.
Powered by blists - more mailing lists