| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Ykd3ldZYDTndgxHI@google.com>
Date: Fri, 1 Apr 2022 22:07:17 +0000
From: Sean Christopherson <seanjc@...gle.com>
To: "Maciej S. Szmigiero" <mail@...iej.szmigiero.name>
Cc: Paolo Bonzini <pbonzini@...hat.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Wanpeng Li <wanpengli@...cent.com>,
Jim Mattson <jmattson@...gle.com>,
Joerg Roedel <joro@...tes.org>,
Tom Lendacky <thomas.lendacky@....com>,
Brijesh Singh <brijesh.singh@....com>,
Jon Grimm <Jon.Grimm@....com>,
David Kaplan <David.Kaplan@....com>,
Boris Ostrovsky <boris.ostrovsky@...cle.com>,
Liam Merwick <liam.merwick@...cle.com>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 3/5] KVM: nSVM: Don't forget about L1-injected events
On Fri, Apr 01, 2022, Maciej S. Szmigiero wrote:
> On 1.04.2022 02:08, Sean Christopherson wrote:
> > where as SVM unconditionally treats #BP and #OF as soft:
> >
> > Injecting an exception (TYPE = 3) with vectors 3 or 4 behaves like a trap raised by
> > INT3 and INTO instructions
> >
> > Now I'm curious why Intel doesn't do the same...
>
> Perhaps it's just a result of VMX and SVM being developed independently,
> in parallel.
That definitely factors in, but nothing in VMX is spurious/random, there's always
a reason/motivation behind the architecture, even if that reason isn't obvious.
It bugs me that I can't figure out the "why" :-)
Ugh, but SVM still needs to fix injection for software interrupts, i.e. svm_inject_irq()
is broken.
> > > We still need L1 -> L2 event injection detection to restore the NextRIP
> > > field when re-injecting an event that uses it.
> >
> > You lost me on this one. KVM L0 is only (and always!) responsible for saving the
> > relevant info into vmcb12, why does it need to detect where the vectoring exception
> > came from?
>
> Look at the description of patch 4 of this patch set - after some
> L2 VMEXITs handled by L0 (in other words, which do *not* result in
> a nested VMEXIT to L1) the VMCB02 NextRIP field will be zero
> (APM 15.7.1 "State Saved on Exit" describes when this happens).
>
> If we attempt to re-inject some types of events with the NextRIP field
> being zero the return address pushed on stack will also be zero, which
> will obviously do bad things to the L2 when it returns from
> an (exception|interrupt) handler.
Right, but that issue isn't unique to L2 exits handled by L0. E.g. if KVM is using
shadow paging and a #PF "owned" by KVM occurs while vectoring INT3/INTO, then KVM
needs to restore NextRIP after resolving the #PF.
Argh, but NextRIP being zeroed makes it painful to handle the scenario where the
INT3/INT0 isn't injected, because doesn't have a record of the instruction length.
That's a big fail on SVM's part :-/
Huh, actually, it's not too bad to support. SVM already has the code to compute
the next RIP via the emulator, it's easy enough to reuse that code to calculate
NextRIP and then unwind RIP.
With your patch 1, your selftest and all KVM unit tests passes[*] with the attached
patch. I'll split it up and send out a proper series with your other fixes and
selftests. I apologize for usurping your series, I was sketching up a diff to
show what I had in mind for reinjecting and it ended up being less code than I
expected to actually get it working.
[*] The new SVM KUT tests don't pass, but that's a different mess, and anything
that uses INVCPID doesn't pass with nrips=0 && npt=0 because KVM's emulator
doesn't know how to decode INVPCID, but KVM needs to intercept INVPCID when
using shadow paging.
View attachment "0001-KVM-SVM-Re-inject-soft-interrupts-instead-of-retryin.patch" of type "text/x-diff" (6508 bytes)
Powered by blists - more mailing lists