lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aWEcEQzHFQOeJnU4@google.com>
Date: Fri, 9 Jan 2026 07:17:37 -0800
From: Sean Christopherson <seanjc@...gle.com>
To: Xiaoyao Li <xiaoyao.li@...el.com>
Cc: Paolo Bonzini <pbonzini@...hat.com>, kvm@...r.kernel.org, linux-kernel@...r.kernel.org, 
	Chao Gao <chao.gao@...el.com>, Xin Li <xin@...or.com>, Yosry Ahmed <yosry.ahmed@...ux.dev>
Subject: Re: [PATCH v3 3/4] KVM: nVMX: Disallow access to vmcs12 fields that
 aren't supported by "hardware"

On Fri, Jan 09, 2026, Sean Christopherson wrote:
> On Fri, Jan 09, 2026, Xiaoyao Li wrote:
> > On 1/9/2026 12:15 PM, Sean Christopherson wrote:
> > > diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> > > index 61113ead3d7b..ac7a17560c8f 100644
> > > --- a/arch/x86/kvm/vmx/nested.c
> > > +++ b/arch/x86/kvm/vmx/nested.c
> > > @@ -111,6 +111,9 @@ static void init_vmcs_shadow_fields(void)
> > >   			  field <= GUEST_TR_AR_BYTES,
> > >   			  "Update vmcs12_write_any() to drop reserved bits from AR_BYTES");
> > > +		if (get_vmcs12_field_offset(field) < 0)
> > > +			continue;
> > > +
> > 
> > why shadow_read_only_fields[] doesn't need such guard?
> > 
> > IIUC, copy_vmcs12_to_shadow() will VMWRITE shadowed readonly field even if
> > it doesn't exist on the hardware?
> 
> Because I fixated on the existing checks and didn't look at the first for-loop.
> 
> This time around I'll test by hacking in shadowed fields arbitrary shadow fields.

And with the RO fields handled, the below doesn't explode (I verified there failures
aplenty if either of the RO or RW checks are commented out).

diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index c85c50019523..7d9bedd06afd 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -262,8 +262,12 @@ enum vmcs_field {
        SHARED_EPT_POINTER              = 0x0000203C,
        PID_POINTER_TABLE               = 0x00002042,
        PID_POINTER_TABLE_HIGH          = 0x00002043,
+       INJECTED_EVENT_DATA             = 0x00002052,
+       INJECTED_EVENT_DATA_HIGH        = 0x00002053,
        GUEST_PHYSICAL_ADDRESS          = 0x00002400,
        GUEST_PHYSICAL_ADDRESS_HIGH     = 0x00002401,
+       ORIGINAL_EVENT_DATA             = 0x00002404,
+       ORIGINAL_EVENT_DATA_HIGH        = 0x00002405,
        VMCS_LINK_POINTER               = 0x00002800,
        VMCS_LINK_POINTER_HIGH          = 0x00002801,
        GUEST_IA32_DEBUGCTL             = 0x00002802,
diff --git a/arch/x86/kvm/vmx/vmcs12.c b/arch/x86/kvm/vmx/vmcs12.c
index 1ebe67c384ad..7952d58fb2d8 100644
--- a/arch/x86/kvm/vmx/vmcs12.c
+++ b/arch/x86/kvm/vmx/vmcs12.c
@@ -157,6 +157,8 @@ static const u16 kvm_supported_vmcs12_field_offsets[] __initconst = {
        FIELD(HOST_S_CET, host_s_cet),
        FIELD(HOST_SSP, host_ssp),
        FIELD(HOST_INTR_SSP_TABLE, host_ssp_tbl),
+       FIELD64(INJECTED_EVENT_DATA, injected_event_data),
+       FIELD64(ORIGINAL_EVENT_DATA, original_event_data),
 };
 
 u16 vmcs12_field_offsets[ARRAY_SIZE(kvm_supported_vmcs12_field_offsets)] __ro_after_init;
@@ -204,6 +206,12 @@ static __init bool cpu_has_vmcs12_field(unsigned int idx)
        case HOST_INTR_SSP_TABLE:
                return cpu_has_load_cet_ctrl();
 
+       case ORIGINAL_EVENT_DATA:
+       case ORIGINAL_EVENT_DATA_HIGH:
+       case INJECTED_EVENT_DATA:
+       case INJECTED_EVENT_DATA_HIGH:
+               return false;
+
        /* KVM always emulates PML and the VMX preemption timer in software. */
        case GUEST_PML_INDEX:
        case VMX_PREEMPTION_TIMER_VALUE:
diff --git a/arch/x86/kvm/vmx/vmcs12.h b/arch/x86/kvm/vmx/vmcs12.h
index 21cd1b75e4fd..56565722f527 100644
--- a/arch/x86/kvm/vmx/vmcs12.h
+++ b/arch/x86/kvm/vmx/vmcs12.h
@@ -191,6 +191,9 @@ struct __packed vmcs12 {
        u16 host_gs_selector;
        u16 host_tr_selector;
        u16 guest_pml_index;
+
+       u64 injected_event_data;
+       u64 original_event_data;
 };
 
 /*
diff --git a/arch/x86/kvm/vmx/vmcs_shadow_fields.h b/arch/x86/kvm/vmx/vmcs_shadow_fields.h
index cad128d1657b..d23ffedaf25b 100644
--- a/arch/x86/kvm/vmx/vmcs_shadow_fields.h
+++ b/arch/x86/kvm/vmx/vmcs_shadow_fields.h
@@ -75,5 +75,10 @@ SHADOW_FIELD_RW(HOST_GS_BASE, host_gs_base)
 SHADOW_FIELD_RO(GUEST_PHYSICAL_ADDRESS, guest_physical_address)
 SHADOW_FIELD_RO(GUEST_PHYSICAL_ADDRESS_HIGH, guest_physical_address)
 
+SHADOW_FIELD_RO(ORIGINAL_EVENT_DATA, original_event_data)
+SHADOW_FIELD_RO(ORIGINAL_EVENT_DATA_HIGH, original_event_data)
+SHADOW_FIELD_RW(INJECTED_EVENT_DATA, injected_event_data)
+SHADOW_FIELD_RW(INJECTED_EVENT_DATA_HIGH, injected_event_data)
+
 #undef SHADOW_FIELD_RO
 #undef SHADOW_FIELD_RW

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ