[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230817233430.1416463-3-seanjc@google.com>
Date: Thu, 17 Aug 2023 16:34:30 -0700
From: Sean Christopherson <seanjc@...gle.com>
To: Sean Christopherson <seanjc@...gle.com>,
Paolo Bonzini <pbonzini@...hat.com>
Cc: kvm@...r.kernel.org, linux-kernel@...r.kernel.org,
Michal Luczaj <mhal@...x.co>
Subject: [PATCH 2/2] KVM: selftests: Explicit set #UD when *potentially*
injecting exception
Explicitly set the exception vector to #UD when potentially injecting an
exception in sync_regs_test's subtests that try to detect TOCTOU bugs
in KVM's handling of exceptions injected by userspace. A side effect of
the original KVM bug was that KVM would clear the vector, but relying on
KVM to clear the vector (i.e. make it #DE) makes it less likely that the
test would ever find *new* KVM bugs, e.g. because only the first iteration
would run with a legal vector to start.
Explicitly inject #UD for race_events_inj_pen() as well, e.g. so that it
doesn't inherit the illegal 255 vector from race_events_exc(), which
currently runs first.
Signed-off-by: Sean Christopherson <seanjc@...gle.com>
---
tools/testing/selftests/kvm/x86_64/sync_regs_test.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/testing/selftests/kvm/x86_64/sync_regs_test.c b/tools/testing/selftests/kvm/x86_64/sync_regs_test.c
index 21e99dae2ff2..00965ba33f73 100644
--- a/tools/testing/selftests/kvm/x86_64/sync_regs_test.c
+++ b/tools/testing/selftests/kvm/x86_64/sync_regs_test.c
@@ -91,6 +91,8 @@ static void *race_events_inj_pen(void *arg)
struct kvm_run *run = (struct kvm_run *)arg;
struct kvm_vcpu_events *events = &run->s.regs.events;
+ WRITE_ONCE(events->exception.nr, UD_VECTOR);
+
for (;;) {
WRITE_ONCE(run->kvm_dirty_regs, KVM_SYNC_X86_EVENTS);
WRITE_ONCE(events->flags, 0);
@@ -115,6 +117,7 @@ static void *race_events_exc(void *arg)
for (;;) {
WRITE_ONCE(run->kvm_dirty_regs, KVM_SYNC_X86_EVENTS);
WRITE_ONCE(events->flags, 0);
+ WRITE_ONCE(events->exception.nr, UD_VECTOR);
WRITE_ONCE(events->exception.pending, 1);
WRITE_ONCE(events->exception.nr, 255);
--
2.42.0.rc1.204.g551eb34607-goog
Powered by blists - more mailing lists