* [PATCH] kvm: nVMX: off by one in vmx_write_pml_buffer()
@ 2017-05-10 19:43 ` Dan Carpenter
0 siblings, 0 replies; 20+ messages in thread
From: Dan Carpenter @ 2017-05-10 19:43 UTC (permalink / raw)
To: Paolo Bonzini, Bandan Das
Cc: Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
There are PML_ENTITY_NUM elements in the pml_address[] array so the >
should be >= or we write beyond the end of the array when we do:
pml_address[vmcs12->guest_pml_index--] = gpa;
Fixes: c5f983f6e845 ("nVMX: Implement emulated Page Modification Logging")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index c6f4ad44aa95..7698e8f321bf 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
if (!nested_cpu_has_pml(vmcs12))
return 0;
- if (vmcs12->guest_pml_index > PML_ENTITY_NUM) {
+ if (vmcs12->guest_pml_index >= PML_ENTITY_NUM) {
vmx->nested.pml_full = true;
return 1;
}
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH] kvm: nVMX: off by one in vmx_write_pml_buffer()
@ 2017-05-10 19:43 ` Dan Carpenter
0 siblings, 0 replies; 20+ messages in thread
From: Dan Carpenter @ 2017-05-10 19:43 UTC (permalink / raw)
To: Paolo Bonzini, Bandan Das
Cc: Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
There are PML_ENTITY_NUM elements in the pml_address[] array so the >
should be >= or we write beyond the end of the array when we do:
pml_address[vmcs12->guest_pml_index--] = gpa;
Fixes: c5f983f6e845 ("nVMX: Implement emulated Page Modification Logging")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index c6f4ad44aa95..7698e8f321bf 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
if (!nested_cpu_has_pml(vmcs12))
return 0;
- if (vmcs12->guest_pml_index > PML_ENTITY_NUM) {
+ if (vmcs12->guest_pml_index >= PML_ENTITY_NUM) {
vmx->nested.pml_full = true;
return 1;
}
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH] kvm: nVMX: off by one in vmx_write_pml_buffer()
2017-05-10 19:43 ` Dan Carpenter
@ 2017-05-10 20:18 ` Bandan Das
-1 siblings, 0 replies; 20+ messages in thread
From: Bandan Das @ 2017-05-10 20:18 UTC (permalink / raw)
To: Dan Carpenter
Cc: Paolo Bonzini, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
Dan Carpenter <dan.carpenter@oracle.com> writes:
> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
> should be >= or we write beyond the end of the array when we do:
>
> pml_address[vmcs12->guest_pml_index--] = gpa;
>
> Fixes: c5f983f6e845 ("nVMX: Implement emulated Page Modification Logging")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index c6f4ad44aa95..7698e8f321bf 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
> if (!nested_cpu_has_pml(vmcs12))
> return 0;
>
> - if (vmcs12->guest_pml_index > PML_ENTITY_NUM) {
> + if (vmcs12->guest_pml_index >= PML_ENTITY_NUM) {
This is actually an overflow check and as the counter decrements, we hit
0xffff which will satisfy guest_pml_index > PML_ENTITY_NUM.
However, a buggy guest hypervisor can write 512 to guest_pml_index and in that
case, we need to inject a pml full event which won't happen if we don't use >=.
So, your patch is correct, I would only suggest that the commit message be
modified to reflect this condition.
Bandan
> vmx->nested.pml_full = true;
> return 1;
> }
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH] kvm: nVMX: off by one in vmx_write_pml_buffer()
@ 2017-05-10 20:18 ` Bandan Das
0 siblings, 0 replies; 20+ messages in thread
From: Bandan Das @ 2017-05-10 20:18 UTC (permalink / raw)
To: Dan Carpenter
Cc: Paolo Bonzini, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
Dan Carpenter <dan.carpenter@oracle.com> writes:
> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
> should be >= or we write beyond the end of the array when we do:
>
> pml_address[vmcs12->guest_pml_index--] = gpa;
>
> Fixes: c5f983f6e845 ("nVMX: Implement emulated Page Modification Logging")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
>
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index c6f4ad44aa95..7698e8f321bf 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
> if (!nested_cpu_has_pml(vmcs12))
> return 0;
>
> - if (vmcs12->guest_pml_index > PML_ENTITY_NUM) {
> + if (vmcs12->guest_pml_index >= PML_ENTITY_NUM) {
This is actually an overflow check and as the counter decrements, we hit
0xffff which will satisfy guest_pml_index > PML_ENTITY_NUM.
However, a buggy guest hypervisor can write 512 to guest_pml_index and in that
case, we need to inject a pml full event which won't happen if we don't use >=.
So, your patch is correct, I would only suggest that the commit message be
modified to reflect this condition.
Bandan
> vmx->nested.pml_full = true;
> return 1;
> }
^ permalink raw reply [flat|nested] 20+ messages in thread
* [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
2017-05-10 20:18 ` Bandan Das
@ 2017-05-10 20:43 ` Dan Carpenter
-1 siblings, 0 replies; 20+ messages in thread
From: Dan Carpenter @ 2017-05-10 20:43 UTC (permalink / raw)
To: Paolo Bonzini, Bandan Das
Cc: Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
There are PML_ENTITY_NUM elements in the pml_address[] array so the >
should be >= or we write beyond the end of the array when we do:
pml_address[vmcs12->guest_pml_index--] = gpa;
This causes a static checker warning but the runtime impact is minimal.
The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
buggy hypervisor.
Fixes: c5f983f6e845 ("nVMX: Implement emulated Page Modification Logging")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: update the changelog to say that this is a low severity bug.
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index c6f4ad44aa95..7698e8f321bf 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
if (!nested_cpu_has_pml(vmcs12))
return 0;
- if (vmcs12->guest_pml_index > PML_ENTITY_NUM) {
+ if (vmcs12->guest_pml_index >= PML_ENTITY_NUM) {
vmx->nested.pml_full = true;
return 1;
}
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
@ 2017-05-10 20:43 ` Dan Carpenter
0 siblings, 0 replies; 20+ messages in thread
From: Dan Carpenter @ 2017-05-10 20:43 UTC (permalink / raw)
To: Paolo Bonzini, Bandan Das
Cc: Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
There are PML_ENTITY_NUM elements in the pml_address[] array so the >
should be >= or we write beyond the end of the array when we do:
pml_address[vmcs12->guest_pml_index--] = gpa;
This causes a static checker warning but the runtime impact is minimal.
The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
buggy hypervisor.
Fixes: c5f983f6e845 ("nVMX: Implement emulated Page Modification Logging")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: update the changelog to say that this is a low severity bug.
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index c6f4ad44aa95..7698e8f321bf 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -11213,7 +11213,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
if (!nested_cpu_has_pml(vmcs12))
return 0;
- if (vmcs12->guest_pml_index > PML_ENTITY_NUM) {
+ if (vmcs12->guest_pml_index >= PML_ENTITY_NUM) {
vmx->nested.pml_full = true;
return 1;
}
^ permalink raw reply related [flat|nested] 20+ messages in thread
* Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
2017-05-10 20:43 ` Dan Carpenter
@ 2017-05-11 7:31 ` Paolo Bonzini
-1 siblings, 0 replies; 20+ messages in thread
From: Paolo Bonzini @ 2017-05-11 7:31 UTC (permalink / raw)
To: Dan Carpenter, Bandan Das
Cc: Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
On 10/05/2017 22:43, Dan Carpenter wrote:
> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
> should be >= or we write beyond the end of the array when we do:
>
> pml_address[vmcs12->guest_pml_index--] = gpa;
>
> This causes a static checker warning but the runtime impact is minimal.
> The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
> buggy hypervisor.
The v1 commit message is better actually. You can always replace
"buggy" with "malicious".
It's a 8 byte write and bits 12-45 of the datum are controlled by the
attacker. It's pretty bad (and embarrassing - I'm not sure why I was
super-sure that PML_ENTITY_NUM was 511 rather than 512).
Paolo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
@ 2017-05-11 7:31 ` Paolo Bonzini
0 siblings, 0 replies; 20+ messages in thread
From: Paolo Bonzini @ 2017-05-11 7:31 UTC (permalink / raw)
To: Dan Carpenter, Bandan Das
Cc: Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
On 10/05/2017 22:43, Dan Carpenter wrote:
> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
> should be >= or we write beyond the end of the array when we do:
>
> pml_address[vmcs12->guest_pml_index--] = gpa;
>
> This causes a static checker warning but the runtime impact is minimal.
> The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
> buggy hypervisor.
The v1 commit message is better actually. You can always replace
"buggy" with "malicious".
It's a 8 byte write and bits 12-45 of the datum are controlled by the
attacker. It's pretty bad (and embarrassing - I'm not sure why I was
super-sure that PML_ENTITY_NUM was 511 rather than 512).
Paolo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
2017-05-11 7:31 ` Paolo Bonzini
@ 2017-05-11 7:42 ` Dan Carpenter
-1 siblings, 0 replies; 20+ messages in thread
From: Dan Carpenter @ 2017-05-11 7:42 UTC (permalink / raw)
To: Paolo Bonzini
Cc: Bandan Das, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
On Thu, May 11, 2017 at 09:31:17AM +0200, Paolo Bonzini wrote:
>
>
> On 10/05/2017 22:43, Dan Carpenter wrote:
> > There are PML_ENTITY_NUM elements in the pml_address[] array so the >
> > should be >= or we write beyond the end of the array when we do:
> >
> > pml_address[vmcs12->guest_pml_index--] = gpa;
> >
> > This causes a static checker warning but the runtime impact is minimal.
> > The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
> > buggy hypervisor.
>
> The v1 commit message is better actually. You can always replace
> "buggy" with "malicious".
Can't the hypervisor already basically do what it wants?
regards,
dan carpenter
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
@ 2017-05-11 7:42 ` Dan Carpenter
0 siblings, 0 replies; 20+ messages in thread
From: Dan Carpenter @ 2017-05-11 7:42 UTC (permalink / raw)
To: Paolo Bonzini
Cc: Bandan Das, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
On Thu, May 11, 2017 at 09:31:17AM +0200, Paolo Bonzini wrote:
>
>
> On 10/05/2017 22:43, Dan Carpenter wrote:
> > There are PML_ENTITY_NUM elements in the pml_address[] array so the >
> > should be >= or we write beyond the end of the array when we do:
> >
> > pml_address[vmcs12->guest_pml_index--] = gpa;
> >
> > This causes a static checker warning but the runtime impact is minimal.
> > The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
> > buggy hypervisor.
>
> The v1 commit message is better actually. You can always replace
> "buggy" with "malicious".
Can't the hypervisor already basically do what it wants?
regards,
dan carpenter
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
2017-05-11 7:42 ` Dan Carpenter
@ 2017-05-11 7:52 ` Paolo Bonzini
-1 siblings, 0 replies; 20+ messages in thread
From: Paolo Bonzini @ 2017-05-11 7:52 UTC (permalink / raw)
To: Dan Carpenter
Cc: Bandan Das, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
On 11/05/2017 09:42, Dan Carpenter wrote:
> On Thu, May 11, 2017 at 09:31:17AM +0200, Paolo Bonzini wrote:
>>
>>
>> On 10/05/2017 22:43, Dan Carpenter wrote:
>>> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
>>> should be >= or we write beyond the end of the array when we do:
>>>
>>> pml_address[vmcs12->guest_pml_index--] = gpa;
>>>
>>> This causes a static checker warning but the runtime impact is minimal.
>>> The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
>>> buggy hypervisor.
>>
>> The v1 commit message is better actually. You can always replace
>> "buggy" with "malicious".
>
> Can't the hypervisor already basically do what it wants?
Here you have a nested hypervisor, that can force the host hypervisor to
do a kmap and write at offset 4096 inside (well, actually outside...)
that kmap.
Paolo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
@ 2017-05-11 7:52 ` Paolo Bonzini
0 siblings, 0 replies; 20+ messages in thread
From: Paolo Bonzini @ 2017-05-11 7:52 UTC (permalink / raw)
To: Dan Carpenter
Cc: Bandan Das, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
On 11/05/2017 09:42, Dan Carpenter wrote:
> On Thu, May 11, 2017 at 09:31:17AM +0200, Paolo Bonzini wrote:
>>
>>
>> On 10/05/2017 22:43, Dan Carpenter wrote:
>>> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
>>> should be >= or we write beyond the end of the array when we do:
>>>
>>> pml_address[vmcs12->guest_pml_index--] = gpa;
>>>
>>> This causes a static checker warning but the runtime impact is minimal.
>>> The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
>>> buggy hypervisor.
>>
>> The v1 commit message is better actually. You can always replace
>> "buggy" with "malicious".
>
> Can't the hypervisor already basically do what it wants?
Here you have a nested hypervisor, that can force the host hypervisor to
do a kmap and write at offset 4096 inside (well, actually outside...)
that kmap.
Paolo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
2017-05-11 7:31 ` Paolo Bonzini
@ 2017-05-11 13:56 ` Bandan Das
-1 siblings, 0 replies; 20+ messages in thread
From: Bandan Das @ 2017-05-11 13:56 UTC (permalink / raw)
To: Paolo Bonzini
Cc: Dan Carpenter, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
Paolo Bonzini <pbonzini@redhat.com> writes:
> On 10/05/2017 22:43, Dan Carpenter wrote:
>> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
>> should be >= or we write beyond the end of the array when we do:
>>
>> pml_address[vmcs12->guest_pml_index--] = gpa;
Actually, we can never write beyond the end when we do
pml_address[vmcs12->guest_pml_index--] = gpa (which happens in the
host hypervisor btw). I think this should be changed.
>> This causes a static checker warning but the runtime impact is minimal.
>> The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
>> buggy hypervisor.
>
> The v1 commit message is better actually. You can always replace
> "buggy" with "malicious".
I agree, they are interchangeable but what's the worst that can happen ?
L1 killing itself ?
Bandan
> It's a 8 byte write and bits 12-45 of the datum are controlled by the
> attacker. It's pretty bad (and embarrassing - I'm not sure why I was
> super-sure that PML_ENTITY_NUM was 511 rather than 512).
>
> Paolo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
@ 2017-05-11 13:56 ` Bandan Das
0 siblings, 0 replies; 20+ messages in thread
From: Bandan Das @ 2017-05-11 13:56 UTC (permalink / raw)
To: Paolo Bonzini
Cc: Dan Carpenter, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
Paolo Bonzini <pbonzini@redhat.com> writes:
> On 10/05/2017 22:43, Dan Carpenter wrote:
>> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
>> should be >= or we write beyond the end of the array when we do:
>>
>> pml_address[vmcs12->guest_pml_index--] = gpa;
Actually, we can never write beyond the end when we do
pml_address[vmcs12->guest_pml_index--] = gpa (which happens in the
host hypervisor btw). I think this should be changed.
>> This causes a static checker warning but the runtime impact is minimal.
>> The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
>> buggy hypervisor.
>
> The v1 commit message is better actually. You can always replace
> "buggy" with "malicious".
I agree, they are interchangeable but what's the worst that can happen ?
L1 killing itself ?
Bandan
> It's a 8 byte write and bits 12-45 of the datum are controlled by the
> attacker. It's pretty bad (and embarrassing - I'm not sure why I was
> super-sure that PML_ENTITY_NUM was 511 rather than 512).
>
> Paolo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
2017-05-11 13:56 ` Bandan Das
@ 2017-05-11 15:23 ` Paolo Bonzini
-1 siblings, 0 replies; 20+ messages in thread
From: Paolo Bonzini @ 2017-05-11 15:23 UTC (permalink / raw)
To: Bandan Das
Cc: Dan Carpenter, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
On 11/05/2017 15:56, Bandan Das wrote:
> Paolo Bonzini <pbonzini@redhat.com> writes:
>
>> On 10/05/2017 22:43, Dan Carpenter wrote:
>>> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
>>> should be >= or we write beyond the end of the array when we do:
>>>
>>> pml_address[vmcs12->guest_pml_index--] = gpa;
>
> Actually, we can never write beyond the end when we do
> pml_address[vmcs12->guest_pml_index--] = gpa (which happens in the
> host hypervisor btw). I think this should be changed.
If vmcs12->guest_pml_index is 512 it will write beyond the end without
Dan's patch.
>>> This causes a static checker warning but the runtime impact is minimal.
>>> The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
>>> buggy hypervisor.
>>
>> The v1 commit message is better actually. You can always replace
>> "buggy" with "malicious".
>
> I agree, they are interchangeable but what's the worst that can happen ?
> L1 killing itself ?
L0 writing 8 bytes in kernel memory outside the bounds of L1's memory.
Paolo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
@ 2017-05-11 15:23 ` Paolo Bonzini
0 siblings, 0 replies; 20+ messages in thread
From: Paolo Bonzini @ 2017-05-11 15:23 UTC (permalink / raw)
To: Bandan Das
Cc: Dan Carpenter, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
On 11/05/2017 15:56, Bandan Das wrote:
> Paolo Bonzini <pbonzini@redhat.com> writes:
>
>> On 10/05/2017 22:43, Dan Carpenter wrote:
>>> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
>>> should be >= or we write beyond the end of the array when we do:
>>>
>>> pml_address[vmcs12->guest_pml_index--] = gpa;
>
> Actually, we can never write beyond the end when we do
> pml_address[vmcs12->guest_pml_index--] = gpa (which happens in the
> host hypervisor btw). I think this should be changed.
If vmcs12->guest_pml_index is 512 it will write beyond the end without
Dan's patch.
>>> This causes a static checker warning but the runtime impact is minimal.
>>> The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
>>> buggy hypervisor.
>>
>> The v1 commit message is better actually. You can always replace
>> "buggy" with "malicious".
>
> I agree, they are interchangeable but what's the worst that can happen ?
> L1 killing itself ?
L0 writing 8 bytes in kernel memory outside the bounds of L1's memory.
Paolo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
2017-05-11 15:23 ` Paolo Bonzini
@ 2017-05-11 17:06 ` Bandan Das
-1 siblings, 0 replies; 20+ messages in thread
From: Bandan Das @ 2017-05-11 17:06 UTC (permalink / raw)
To: Paolo Bonzini
Cc: Dan Carpenter, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
Paolo Bonzini <pbonzini@redhat.com> writes:
> On 11/05/2017 15:56, Bandan Das wrote:
>> Paolo Bonzini <pbonzini@redhat.com> writes:
>>
>>> On 10/05/2017 22:43, Dan Carpenter wrote:
>>>> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
>>>> should be >= or we write beyond the end of the array when we do:
>>>>
>>>> pml_address[vmcs12->guest_pml_index--] = gpa;
>>
>> Actually, we can never write beyond the end when we do
>> pml_address[vmcs12->guest_pml_index--] = gpa (which happens in the
>> host hypervisor btw). I think this should be changed.
>
> If vmcs12->guest_pml_index is 512 it will write beyond the end without
> Dan's patch.
Oops, sorry! I misread, the assignment is taking place here as well. v1 is fine.
Thanks,
Bandan
>>>> This causes a static checker warning but the runtime impact is minimal.
>>>> The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
>>>> buggy hypervisor.
>>>
>>> The v1 commit message is better actually. You can always replace
>>> "buggy" with "malicious".
>>
>> I agree, they are interchangeable but what's the worst that can happen ?
>> L1 killing itself ?
>
> L0 writing 8 bytes in kernel memory outside the bounds of L1's memory.
>
> Paolo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH v2] kvm: nVMX: off by one in vmx_write_pml_buffer()
@ 2017-05-11 17:06 ` Bandan Das
0 siblings, 0 replies; 20+ messages in thread
From: Bandan Das @ 2017-05-11 17:06 UTC (permalink / raw)
To: Paolo Bonzini
Cc: Dan Carpenter, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H. Peter Anvin, x86, kvm,
kernel-janitors
Paolo Bonzini <pbonzini@redhat.com> writes:
> On 11/05/2017 15:56, Bandan Das wrote:
>> Paolo Bonzini <pbonzini@redhat.com> writes:
>>
>>> On 10/05/2017 22:43, Dan Carpenter wrote:
>>>> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
>>>> should be >= or we write beyond the end of the array when we do:
>>>>
>>>> pml_address[vmcs12->guest_pml_index--] = gpa;
>>
>> Actually, we can never write beyond the end when we do
>> pml_address[vmcs12->guest_pml_index--] = gpa (which happens in the
>> host hypervisor btw). I think this should be changed.
>
> If vmcs12->guest_pml_index is 512 it will write beyond the end without
> Dan's patch.
Oops, sorry! I misread, the assignment is taking place here as well. v1 is fine.
Thanks,
Bandan
>>>> This causes a static checker warning but the runtime impact is minimal.
>>>> The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a
>>>> buggy hypervisor.
>>>
>>> The v1 commit message is better actually. You can always replace
>>> "buggy" with "malicious".
>>
>> I agree, they are interchangeable but what's the worst that can happen ?
>> L1 killing itself ?
>
> L0 writing 8 bytes in kernel memory outside the bounds of L1's memory.
>
> Paolo
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH] kvm: nVMX: off by one in vmx_write_pml_buffer()
2017-05-10 19:43 ` Dan Carpenter
@ 2017-05-16 13:56 ` Radim Krčmář
-1 siblings, 0 replies; 20+ messages in thread
From: Radim Krčmář @ 2017-05-16 13:56 UTC (permalink / raw)
To: Dan Carpenter
Cc: Paolo Bonzini, Bandan Das, Thomas Gleixner, Ingo Molnar,
H. Peter Anvin, x86, kvm, kernel-janitors
2017-05-10 22:43+0300, Dan Carpenter:
> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
> should be >= or we write beyond the end of the array when we do:
>
> pml_address[vmcs12->guest_pml_index--] = gpa;
>
> Fixes: c5f983f6e845 ("nVMX: Implement emulated Page Modification Logging")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Applied to kvm/master, thanks.
(v1 was deemed better after all.)
^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH] kvm: nVMX: off by one in vmx_write_pml_buffer()
@ 2017-05-16 13:56 ` Radim Krčmář
0 siblings, 0 replies; 20+ messages in thread
From: Radim Krčmář @ 2017-05-16 13:56 UTC (permalink / raw)
To: Dan Carpenter
Cc: Paolo Bonzini, Bandan Das, Thomas Gleixner, Ingo Molnar,
H. Peter Anvin, x86, kvm, kernel-janitors
2017-05-10 22:43+0300, Dan Carpenter:
> There are PML_ENTITY_NUM elements in the pml_address[] array so the >
> should be >= or we write beyond the end of the array when we do:
>
> pml_address[vmcs12->guest_pml_index--] = gpa;
>
> Fixes: c5f983f6e845 ("nVMX: Implement emulated Page Modification Logging")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Applied to kvm/master, thanks.
(v1 was deemed better after all.)
^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2017-05-16 13:56 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-10 19:43 [PATCH] kvm: nVMX: off by one in vmx_write_pml_buffer() Dan Carpenter
2017-05-10 19:43 ` Dan Carpenter
2017-05-10 20:18 ` Bandan Das
2017-05-10 20:18 ` Bandan Das
2017-05-10 20:43 ` [PATCH v2] " Dan Carpenter
2017-05-10 20:43 ` Dan Carpenter
2017-05-11 7:31 ` Paolo Bonzini
2017-05-11 7:31 ` Paolo Bonzini
2017-05-11 7:42 ` Dan Carpenter
2017-05-11 7:42 ` Dan Carpenter
2017-05-11 7:52 ` Paolo Bonzini
2017-05-11 7:52 ` Paolo Bonzini
2017-05-11 13:56 ` Bandan Das
2017-05-11 13:56 ` Bandan Das
2017-05-11 15:23 ` Paolo Bonzini
2017-05-11 15:23 ` Paolo Bonzini
2017-05-11 17:06 ` Bandan Das
2017-05-11 17:06 ` Bandan Das
2017-05-16 13:56 ` [PATCH] " Radim Krčmář
2017-05-16 13:56 ` Radim Krčmář
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.