| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87leugokcq.fsf@redhat.com>
Date: Wed, 01 Jun 2022 10:31:49 +0200
From: Vitaly Kuznetsov <vkuznets@...hat.com>
To: Sean Christopherson <seanjc@...gle.com>
Cc: Wanpeng Li <wanpengli@...cent.com>,
Jim Mattson <jmattson@...gle.com>,
Joerg Roedel <joro@...tes.org>, kvm@...r.kernel.org,
linux-kernel@...r.kernel.org, Kees Cook <keescook@...omium.org>,
Robert Dinse <nanook@...imo.com>,
Paolo Bonzini <pbonzini@...hat.com>
Subject: Re: [PATCH v2 7/8] KVM: x86: Bug the VM if the emulator generates a
bogus exception vector
Sean Christopherson <seanjc@...gle.com> writes:
> Bug the VM if KVM's emulator attempts to inject a bogus exception vector.
> The guest is likely doomed even if KVM continues on, and propagating a
> bad vector to the rest of KVM runs the risk of breaking other assumptions
> in KVM and thus triggering a more egregious bug.
>
> All existing users of emulate_exception() have hardcoded vector numbers
> (__load_segment_descriptor() uses a few different vectors, but they're
> all hardcoded), and future users are likely to follow suit, i.e. the
> change to emulate_exception() is a glorified nop.
>
> As for the ctxt->exception.vector check in x86_emulate_insn(), the few
> known times the WARN has been triggered in the past is when the field was
> not set when synthesizing a fault, i.e. for all intents and purposes the
> check protects against consumption of uninitialized data.
>
> Signed-off-by: Sean Christopherson <seanjc@...gle.com>
> ---
> arch/x86/kvm/emulate.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index 70a8e0cd9fdc..2aa17462a9ac 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -624,7 +624,9 @@ static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
> static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
> u32 error, bool valid)
> {
> - WARN_ON(vec > 0x1f);
> + if (KVM_EMULATOR_BUG_ON(vec > 0x1f, ctxt))
> + return X86EMUL_UNHANDLEABLE;
> +
> ctxt->exception.vector = vec;
> ctxt->exception.error_code = error;
> ctxt->exception.error_code_valid = valid;
> @@ -5728,7 +5730,8 @@ int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
>
> done:
> if (rc == X86EMUL_PROPAGATE_FAULT) {
> - WARN_ON(ctxt->exception.vector > 0x1f);
> + if (KVM_EMULATOR_BUG_ON(ctxt->exception.vector > 0x1f, ctxt))
> + return EMULATION_FAILED;
> ctxt->have_exception = true;
> }
> if (rc == X86EMUL_INTERCEPTED)
Reviewed-by: Vitaly Kuznetsov <vkuznets@...hat.com>
--
Vitaly
Powered by blists - more mailing lists