CVE-2012-0045 for 3.2.y, 3.0.y and 2.6.32.y (again)

CVE-2012-0045 for 3.2.y, 3.0.y and 2.6.32.y (again)

[Stefan Bader]

Resubmitting with more of the proper maintainers
subscribed (note that Marcelo is one of them)...

---

The following patches fix a KVM guest hang/crash on 32bit guests
which is present sicne 2.6.32. It was fixed upstream (v3.3) and
for 3.2.y the upstream versions do apply. Moving back in history
some more adjustments are required.

Tested the backports on 32bit hosts and 32bit guests for
all releases and with 64bit host and 32bit/64bit guest
for 2.6.32.

-Stefan

[v2.6.32.y 1/2] KVM: x86: extend "struct x86_emulate_ops" with "get_cpuid"

[Stefan Bader]

>From 0aa5ac57d2dcdca1e1c4ec37d6164063766831ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf@tu-ilmenau.de>
Date: Thu, 12 Jan 2012 16:43:03 +0100
Subject: [PATCH 1/2] KVM: x86: extend "struct x86_emulate_ops" with
 "get_cpuid"

In order to be able to proceed checks on CPU-specific properties
within the emulator, function "get_cpuid" is introduced.
With "get_cpuid" it is possible to virtually call the guests
"cpuid"-opcode without changing the VM's context.

[mtosatti: cleanup/beautify code]

Signed-off-by: Stephan Baerwolf <stephan.baerwolf@tu-ilmenau.de>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

(backported from commit bdb42f5afebe208eae90406959383856ae2caf2b upstream)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 arch/x86/include/asm/kvm_emulate.h |    2 ++
 arch/x86/kvm/x86.c                 |   22 ++++++++++++++++++++++
 2 files changed, 24 insertions(+), 0 deletions(-)

diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
index 5ed59ec..5d938f9 100644
--- a/arch/x86/include/asm/kvm_emulate.h
+++ b/arch/x86/include/asm/kvm_emulate.h
@@ -109,6 +109,8 @@ struct x86_emulate_ops {
 				unsigned int bytes,
 				struct kvm_vcpu *vcpu);
 
+	bool (*get_cpuid)(struct kvm_vcpu *vcpu,
+			 u32 *eax, u32 *ebx, u32 *ecx, u32 *edx);
 };
 
 /* Type, address-of, and value of an instruction's operand. */
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index df1cefb..74b1f11 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2871,12 +2871,34 @@ void kvm_report_emulation_failure(struct kvm_vcpu *vcpu, const char *context)
 }
 EXPORT_SYMBOL_GPL(kvm_report_emulation_failure);
 
+static bool emulator_get_cpuid(struct kvm_vcpu *vcpu,
+			       u32 *eax, u32 *ebx, u32 *ecx, u32 *edx)
+{
+	struct kvm_cpuid_entry2 *cpuid = NULL;
+
+	if (eax && ecx)
+		cpuid = kvm_find_cpuid_entry(vcpu, *eax, *ecx);
+
+	if (cpuid) {
+		*eax = cpuid->eax;
+		*ecx = cpuid->ecx;
+		if (ebx)
+			*ebx = cpuid->ebx;
+		if (edx)
+			*edx = cpuid->edx;
+		return true;
+	}
+
+	return false;
+}
+
 static struct x86_emulate_ops emulate_ops = {
 	.read_std            = kvm_read_guest_virt_system,
 	.fetch               = kvm_fetch_guest_virt,
 	.read_emulated       = emulator_read_emulated,
 	.write_emulated      = emulator_write_emulated,
 	.cmpxchg_emulated    = emulator_cmpxchg_emulated,
+	.get_cpuid           = emulator_get_cpuid,
 };
 
 static void cache_all_regs(struct kvm_vcpu *vcpu)
-- 
1.7.9.1

[v2.6.32.y 2/2] KVM: x86: fix missing checks in syscall emulation

[Stefan Bader]

>From 69712f0c7cbb6363f7b2170fba93945a72d77712 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf@tu-ilmenau.de>
Date: Thu, 12 Jan 2012 16:43:04 +0100
Subject: [PATCH 2/2] KVM: x86: fix missing checks in syscall emulation

On hosts without this patch, 32bit guests will crash (and 64bit guests
may behave in a wrong way) for example by simply executing following
nasm-demo-application:

    [bits 32]
    global _start
    SECTION .text
    _start: syscall

(I tested it with winxp and linux - both always crashed)

    Disassembly of section .text:

    00000000 <_start>:
       0:   0f 05                   syscall

The reason seems a missing "invalid opcode"-trap (int6) for the
syscall opcode "0f05", which is not available on Intel CPUs
within non-longmodes, as also on some AMD CPUs within legacy-mode.
(depending on CPU vendor, MSR_EFER and cpuid)

Because previous mentioned OSs may not engage corresponding
syscall target-registers (STAR, LSTAR, CSTAR), they remain
NULL and (non trapping) syscalls are leading to multiple
faults and finally crashs.

Depending on the architecture (AMD or Intel) pretended by
guests, various checks according to vendor's documentation
are implemented to overcome the current issue and behave
like the CPUs physical counterparts.

[mtosatti: cleanup/beautify code]

Signed-off-by: Stephan Baerwolf <stephan.baerwolf@tu-ilmenau.de>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

(backported from commit c2226fc9e87ba3da060e47333657cd6616652b84 upstream)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 arch/x86/include/asm/kvm_emulate.h |   13 ++++++++
 arch/x86/kvm/emulate.c             |   57 ++++++++++++++++++++++++++++++++++-
 2 files changed, 68 insertions(+), 2 deletions(-)

diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
index 5d938f9..1f137af 100644
--- a/arch/x86/include/asm/kvm_emulate.h
+++ b/arch/x86/include/asm/kvm_emulate.h
@@ -185,6 +185,19 @@ struct x86_emulate_ctxt {
 #define X86EMUL_MODE_PROT32   4	/* 32-bit protected mode. */
 #define X86EMUL_MODE_PROT64   8	/* 64-bit (long) mode.    */
 
+/* CPUID vendors */
+#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx 0x68747541
+#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx 0x444d4163
+#define X86EMUL_CPUID_VENDOR_AuthenticAMD_edx 0x69746e65
+
+#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx 0x69444d41
+#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx 0x21726574
+#define X86EMUL_CPUID_VENDOR_AMDisbetterI_edx 0x74656273
+
+#define X86EMUL_CPUID_VENDOR_GenuineIntel_ebx 0x756e6547
+#define X86EMUL_CPUID_VENDOR_GenuineIntel_ecx 0x6c65746e
+#define X86EMUL_CPUID_VENDOR_GenuineIntel_edx 0x49656e69
+
 /* Host execution mode. */
 #if defined(CONFIG_X86_32)
 #define X86EMUL_MODE_HOST X86EMUL_MODE_PROT32
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 1350e43..10134d2 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1495,20 +1495,73 @@ setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
 	ss->present = 1;
 }
 
+static bool syscall_is_enabled(struct x86_emulate_ctxt *ctxt,
+			       struct x86_emulate_ops *ops)
+{
+	u32 eax, ebx, ecx, edx;
+
+	/*
+	 * syscall should always be enabled in longmode - so only become
+	 * vendor specific (cpuid) if other modes are active...
+	 */
+	if (ctxt->mode == X86EMUL_MODE_PROT64)
+		return true;
+
+	eax = 0x00000000;
+	ecx = 0x00000000;
+	if (ops->get_cpuid(ctxt->vcpu, &eax, &ebx, &ecx, &edx)) {
+		/*
+		 * Intel ("GenuineIntel")
+		 * remark: Intel CPUs only support "syscall" in 64bit
+		 * longmode. Also an 64bit guest with a
+		 * 32bit compat-app running will #UD !! While this
+		 * behaviour can be fixed (by emulating) into AMD
+		 * response - CPUs of AMD can't behave like Intel.
+		 */
+		if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
+		    ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
+		    edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
+			return false;
+
+		/* AMD ("AuthenticAMD") */
+		if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
+		    ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
+		    edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
+			return true;
+
+		/* AMD ("AMDisbetter!") */
+		if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
+		    ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
+		    edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
+			return true;
+	}
+
+	/* default: (not Intel, not AMD), apply Intel's stricter rules... */
+	return false;
+}
+
 static int
-emulate_syscall(struct x86_emulate_ctxt *ctxt)
+emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
 {
 	struct decode_cache *c = &ctxt->decode;
 	struct kvm_segment cs, ss;
 	u64 msr_data;
+	u64 efer = 0;
 
 	/* syscall is not available in real mode */
 	if (c->lock_prefix || ctxt->mode == X86EMUL_MODE_REAL
 	    || ctxt->mode == X86EMUL_MODE_VM86)
 		return -1;
 
+	if (!(syscall_is_enabled(ctxt, ops)))
+		return -1;
+
+	kvm_x86_ops->get_msr(ctxt->vcpu, MSR_EFER, &efer);
 	setup_syscalls_segments(ctxt, &cs, &ss);
 
+	if (!(efer & EFER_SCE))
+		return -1;
+
 	kvm_x86_ops->get_msr(ctxt->vcpu, MSR_STAR, &msr_data);
 	msr_data >>= 32;
 	cs.selector = (u16)(msr_data & 0xfffc);
@@ -2342,7 +2395,7 @@ twobyte_insn:
 		}
 		break;
 	case 0x05: 		/* syscall */
-		if (emulate_syscall(ctxt) == -1)
+		if (emulate_syscall(ctxt, ops) == -1)
 			goto cannot_emulate;
 		else
 			goto writeback;
-- 
1.7.9.1

[v3.0.y 1/2] KVM: x86: extend "struct x86_emulate_ops" with "get_cpuid"

[Stefan Bader]

>From eaee58e1433e1b16e686cfcdcbc207d4310a239f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf@tu-ilmenau.de>
Date: Thu, 12 Jan 2012 16:43:03 +0100
Subject: [PATCH 7/8] KVM: x86: extend "struct x86_emulate_ops" with
 "get_cpuid"

In order to be able to proceed checks on CPU-specific properties
within the emulator, function "get_cpuid" is introduced.
With "get_cpuid" it is possible to virtually call the guests
"cpuid"-opcode without changing the VM's context.

[mtosatti: cleanup/beautify code]

Signed-off-by: Stephan Baerwolf <stephan.baerwolf@tu-ilmenau.de>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

(cherry-picked from commit bdb42f5afebe208eae90406959383856ae2caf2b upstream)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 arch/x86/include/asm/kvm_emulate.h |    3 +++
 arch/x86/kvm/x86.c                 |   23 +++++++++++++++++++++++
 2 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
index 0049211..18e54f1 100644
--- a/arch/x86/include/asm/kvm_emulate.h
+++ b/arch/x86/include/asm/kvm_emulate.h
@@ -189,6 +189,9 @@ struct x86_emulate_ops {
 	int (*intercept)(struct x86_emulate_ctxt *ctxt,
 			 struct x86_instruction_info *info,
 			 enum x86_intercept_stage stage);
+
+	bool (*get_cpuid)(struct x86_emulate_ctxt *ctxt,
+			 u32 *eax, u32 *ebx, u32 *ecx, u32 *edx);
 };
 
 typedef u32 __attribute__((vector_size(16))) sse128_t;
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index bc58ede..8e15578 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4436,6 +4436,28 @@ static int emulator_intercept(struct x86_emulate_ctxt *ctxt,
 	return kvm_x86_ops->check_intercept(emul_to_vcpu(ctxt), info, stage);
 }
 
+static bool emulator_get_cpuid(struct x86_emulate_ctxt *ctxt,
+			       u32 *eax, u32 *ebx, u32 *ecx, u32 *edx)
+{
+	struct kvm_cpuid_entry2 *cpuid = NULL;
+
+	if (eax && ecx)
+		cpuid = kvm_find_cpuid_entry(emul_to_vcpu(ctxt),
+					    *eax, *ecx);
+
+	if (cpuid) {
+		*eax = cpuid->eax;
+		*ecx = cpuid->ecx;
+		if (ebx)
+			*ebx = cpuid->ebx;
+		if (edx)
+			*edx = cpuid->edx;
+		return true;
+	}
+
+	return false;
+}
+
 static struct x86_emulate_ops emulate_ops = {
 	.read_std            = kvm_read_guest_virt_system,
 	.write_std           = kvm_write_guest_virt_system,
@@ -4466,6 +4488,7 @@ static struct x86_emulate_ops emulate_ops = {
 	.get_fpu             = emulator_get_fpu,
 	.put_fpu             = emulator_put_fpu,
 	.intercept           = emulator_intercept,
+	.get_cpuid           = emulator_get_cpuid,
 };
 
 static void cache_all_regs(struct kvm_vcpu *vcpu)
-- 
1.7.9.1

[v3.0.y 2/2] KVM: x86: fix missing checks in syscall emulation

[Stefan Bader]

>From 30870b1a5d29c07b75843c0b667fa29a63d818a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf@tu-ilmenau.de>
Date: Thu, 12 Jan 2012 16:43:04 +0100
Subject: [PATCH 8/8] KVM: x86: fix missing checks in syscall emulation

On hosts without this patch, 32bit guests will crash (and 64bit guests
may behave in a wrong way) for example by simply executing following
nasm-demo-application:

    [bits 32]
    global _start
    SECTION .text
    _start: syscall

(I tested it with winxp and linux - both always crashed)

    Disassembly of section .text:

    00000000 <_start>:
       0:   0f 05                   syscall

The reason seems a missing "invalid opcode"-trap (int6) for the
syscall opcode "0f05", which is not available on Intel CPUs
within non-longmodes, as also on some AMD CPUs within legacy-mode.
(depending on CPU vendor, MSR_EFER and cpuid)

Because previous mentioned OSs may not engage corresponding
syscall target-registers (STAR, LSTAR, CSTAR), they remain
NULL and (non trapping) syscalls are leading to multiple
faults and finally crashs.

Depending on the architecture (AMD or Intel) pretended by
guests, various checks according to vendor's documentation
are implemented to overcome the current issue and behave
like the CPUs physical counterparts.

[mtosatti: cleanup/beautify code]

Signed-off-by: Stephan Baerwolf <stephan.baerwolf@tu-ilmenau.de>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

(backported from commit c2226fc9e87ba3da060e47333657cd6616652b84 upstream)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 arch/x86/include/asm/kvm_emulate.h |   13 +++++++++
 arch/x86/kvm/emulate.c             |   51 ++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 0 deletions(-)

diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
index 18e54f1..0ab6a4d 100644
--- a/arch/x86/include/asm/kvm_emulate.h
+++ b/arch/x86/include/asm/kvm_emulate.h
@@ -301,6 +301,19 @@ struct x86_emulate_ctxt {
 #define X86EMUL_MODE_PROT     (X86EMUL_MODE_PROT16|X86EMUL_MODE_PROT32| \
 			       X86EMUL_MODE_PROT64)
 
+/* CPUID vendors */
+#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx 0x68747541
+#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx 0x444d4163
+#define X86EMUL_CPUID_VENDOR_AuthenticAMD_edx 0x69746e65
+
+#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx 0x69444d41
+#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx 0x21726574
+#define X86EMUL_CPUID_VENDOR_AMDisbetterI_edx 0x74656273
+
+#define X86EMUL_CPUID_VENDOR_GenuineIntel_ebx 0x756e6547
+#define X86EMUL_CPUID_VENDOR_GenuineIntel_ecx 0x6c65746e
+#define X86EMUL_CPUID_VENDOR_GenuineIntel_edx 0x49656e69
+
 enum x86_intercept_stage {
 	X86_ICTP_NONE = 0,   /* Allow zero-init to not match anything */
 	X86_ICPT_PRE_EXCEPT,
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index adc9867..3e7d913 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1901,6 +1901,51 @@ setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
 	ss->p = 1;
 }
 
+static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
+{
+	struct x86_emulate_ops *ops = ctxt->ops;
+	u32 eax, ebx, ecx, edx;
+
+	/*
+	 * syscall should always be enabled in longmode - so only become
+	 * vendor specific (cpuid) if other modes are active...
+	 */
+	if (ctxt->mode == X86EMUL_MODE_PROT64)
+		return true;
+
+	eax = 0x00000000;
+	ecx = 0x00000000;
+	if (ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx)) {
+		/*
+		 * Intel ("GenuineIntel")
+		 * remark: Intel CPUs only support "syscall" in 64bit
+		 * longmode. Also an 64bit guest with a
+		 * 32bit compat-app running will #UD !! While this
+		 * behaviour can be fixed (by emulating) into AMD
+		 * response - CPUs of AMD can't behave like Intel.
+		 */
+		if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
+		    ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
+		    edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
+			return false;
+
+		/* AMD ("AuthenticAMD") */
+		if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
+		    ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
+		    edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
+			return true;
+
+		/* AMD ("AMDisbetter!") */
+		if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
+		    ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
+		    edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
+			return true;
+	}
+
+	/* default: (not Intel, not AMD), apply Intel's stricter rules... */
+	return false;
+}
+
 static int
 emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
 {
@@ -1915,9 +1960,15 @@ emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
 	    ctxt->mode == X86EMUL_MODE_VM86)
 		return emulate_ud(ctxt);
 
+	if (!(em_syscall_is_enabled(ctxt)))
+		return emulate_ud(ctxt);
+
 	ops->get_msr(ctxt, MSR_EFER, &efer);
 	setup_syscalls_segments(ctxt, ops, &cs, &ss);
 
+	if (!(efer & EFER_SCE))
+		return emulate_ud(ctxt);
+
 	ops->get_msr(ctxt, MSR_STAR, &msr_data);
 	msr_data >>= 32;
 	cs_sel = (u16)(msr_data & 0xfffc);
-- 
1.7.9.1

[v3.2.y 1/2] KVM: x86: extend "struct x86_emulate_ops" with "get_cpuid"

[Stefan Bader]

>From 993480c661c6a850fcb79ac06137208950415170 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf@tu-ilmenau.de>
Date: Thu, 12 Jan 2012 16:43:03 +0100
Subject: [PATCH 09/10] KVM: x86: extend "struct x86_emulate_ops" with
 "get_cpuid"

In order to be able to proceed checks on CPU-specific properties
within the emulator, function "get_cpuid" is introduced.
With "get_cpuid" it is possible to virtually call the guests
"cpuid"-opcode without changing the VM's context.

[mtosatti: cleanup/beautify code]

Signed-off-by: Stephan Baerwolf <stephan.baerwolf@tu-ilmenau.de>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

(cherry-picked from commit bdb42f5afebe208eae90406959383856ae2caf2b upstream)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 arch/x86/include/asm/kvm_emulate.h |    3 +++
 arch/x86/kvm/x86.c                 |   23 +++++++++++++++++++++++
 2 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
index a026507..a440a7f 100644
--- a/arch/x86/include/asm/kvm_emulate.h
+++ b/arch/x86/include/asm/kvm_emulate.h
@@ -189,6 +189,9 @@ struct x86_emulate_ops {
 	int (*intercept)(struct x86_emulate_ctxt *ctxt,
 			 struct x86_instruction_info *info,
 			 enum x86_intercept_stage stage);
+
+	bool (*get_cpuid)(struct x86_emulate_ctxt *ctxt,
+			 u32 *eax, u32 *ebx, u32 *ecx, u32 *edx);
 };
 
 typedef u32 __attribute__((vector_size(16))) sse128_t;
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 4c938da..e04cae1 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4655,6 +4655,28 @@ static int emulator_intercept(struct x86_emulate_ctxt *ctxt,
 	return kvm_x86_ops->check_intercept(emul_to_vcpu(ctxt), info, stage);
 }
 
+static bool emulator_get_cpuid(struct x86_emulate_ctxt *ctxt,
+			       u32 *eax, u32 *ebx, u32 *ecx, u32 *edx)
+{
+	struct kvm_cpuid_entry2 *cpuid = NULL;
+
+	if (eax && ecx)
+		cpuid = kvm_find_cpuid_entry(emul_to_vcpu(ctxt),
+					    *eax, *ecx);
+
+	if (cpuid) {
+		*eax = cpuid->eax;
+		*ecx = cpuid->ecx;
+		if (ebx)
+			*ebx = cpuid->ebx;
+		if (edx)
+			*edx = cpuid->edx;
+		return true;
+	}
+
+	return false;
+}
+
 static struct x86_emulate_ops emulate_ops = {
 	.read_std            = kvm_read_guest_virt_system,
 	.write_std           = kvm_write_guest_virt_system,
@@ -4685,6 +4707,7 @@ static struct x86_emulate_ops emulate_ops = {
 	.get_fpu             = emulator_get_fpu,
 	.put_fpu             = emulator_put_fpu,
 	.intercept           = emulator_intercept,
+	.get_cpuid           = emulator_get_cpuid,
 };
 
 static void cache_all_regs(struct kvm_vcpu *vcpu)
-- 
1.7.9.1

[v3.2.y 2/2] KVM: x86: fix missing checks in syscall emulation

[Stefan Bader]

>From 0d9961104ca537ac1035cd84c6f7e321202b1381 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf@tu-ilmenau.de>
Date: Thu, 12 Jan 2012 16:43:04 +0100
Subject: [PATCH 10/10] KVM: x86: fix missing checks in syscall emulation

On hosts without this patch, 32bit guests will crash (and 64bit guests
may behave in a wrong way) for example by simply executing following
nasm-demo-application:

    [bits 32]
    global _start
    SECTION .text
    _start: syscall

(I tested it with winxp and linux - both always crashed)

    Disassembly of section .text:

    00000000 <_start>:
       0:   0f 05                   syscall

The reason seems a missing "invalid opcode"-trap (int6) for the
syscall opcode "0f05", which is not available on Intel CPUs
within non-longmodes, as also on some AMD CPUs within legacy-mode.
(depending on CPU vendor, MSR_EFER and cpuid)

Because previous mentioned OSs may not engage corresponding
syscall target-registers (STAR, LSTAR, CSTAR), they remain
NULL and (non trapping) syscalls are leading to multiple
faults and finally crashs.

Depending on the architecture (AMD or Intel) pretended by
guests, various checks according to vendor's documentation
are implemented to overcome the current issue and behave
like the CPUs physical counterparts.

[mtosatti: cleanup/beautify code]

Signed-off-by: Stephan Baerwolf <stephan.baerwolf@tu-ilmenau.de>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>

(cherry-picked from commit c2226fc9e87ba3da060e47333657cd6616652b84 upstream)
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
---
 arch/x86/include/asm/kvm_emulate.h |   13 +++++++++
 arch/x86/kvm/emulate.c             |   51 ++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+), 0 deletions(-)

diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
index a440a7f..70ea6fd 100644
--- a/arch/x86/include/asm/kvm_emulate.h
+++ b/arch/x86/include/asm/kvm_emulate.h
@@ -300,6 +300,19 @@ struct x86_emulate_ctxt {
 #define X86EMUL_MODE_PROT     (X86EMUL_MODE_PROT16|X86EMUL_MODE_PROT32| \
 			       X86EMUL_MODE_PROT64)
 
+/* CPUID vendors */
+#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx 0x68747541
+#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx 0x444d4163
+#define X86EMUL_CPUID_VENDOR_AuthenticAMD_edx 0x69746e65
+
+#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx 0x69444d41
+#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx 0x21726574
+#define X86EMUL_CPUID_VENDOR_AMDisbetterI_edx 0x74656273
+
+#define X86EMUL_CPUID_VENDOR_GenuineIntel_ebx 0x756e6547
+#define X86EMUL_CPUID_VENDOR_GenuineIntel_ecx 0x6c65746e
+#define X86EMUL_CPUID_VENDOR_GenuineIntel_edx 0x49656e69
+
 enum x86_intercept_stage {
 	X86_ICTP_NONE = 0,   /* Allow zero-init to not match anything */
 	X86_ICPT_PRE_EXCEPT,
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index f1e3be1..f5302da 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1877,6 +1877,51 @@ setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
 	ss->p = 1;
 }
 
+static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
+{
+	struct x86_emulate_ops *ops = ctxt->ops;
+	u32 eax, ebx, ecx, edx;
+
+	/*
+	 * syscall should always be enabled in longmode - so only become
+	 * vendor specific (cpuid) if other modes are active...
+	 */
+	if (ctxt->mode == X86EMUL_MODE_PROT64)
+		return true;
+
+	eax = 0x00000000;
+	ecx = 0x00000000;
+	if (ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx)) {
+		/*
+		 * Intel ("GenuineIntel")
+		 * remark: Intel CPUs only support "syscall" in 64bit
+		 * longmode. Also an 64bit guest with a
+		 * 32bit compat-app running will #UD !! While this
+		 * behaviour can be fixed (by emulating) into AMD
+		 * response - CPUs of AMD can't behave like Intel.
+		 */
+		if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
+		    ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
+		    edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
+			return false;
+
+		/* AMD ("AuthenticAMD") */
+		if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
+		    ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
+		    edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
+			return true;
+
+		/* AMD ("AMDisbetter!") */
+		if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
+		    ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
+		    edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
+			return true;
+	}
+
+	/* default: (not Intel, not AMD), apply Intel's stricter rules... */
+	return false;
+}
+
 static int em_syscall(struct x86_emulate_ctxt *ctxt)
 {
 	struct x86_emulate_ops *ops = ctxt->ops;
@@ -1890,9 +1935,15 @@ static int em_syscall(struct x86_emulate_ctxt *ctxt)
 	    ctxt->mode == X86EMUL_MODE_VM86)
 		return emulate_ud(ctxt);
 
+	if (!(em_syscall_is_enabled(ctxt)))
+		return emulate_ud(ctxt);
+
 	ops->get_msr(ctxt, MSR_EFER, &efer);
 	setup_syscalls_segments(ctxt, &cs, &ss);
 
+	if (!(efer & EFER_SCE))
+		return emulate_ud(ctxt);
+
 	ops->get_msr(ctxt, MSR_STAR, &msr_data);
 	msr_data >>= 32;
 	cs_sel = (u16)(msr_data & 0xfffc);
-- 
1.7.9.1

Re: CVE-2012-0045 for 3.2.y, 3.0.y and 2.6.32.y (again)

[Greg KH]

On Thu, Mar 22, 2012 at 09:50:40AM +0100, Stefan Bader wrote:
> Resubmitting with more of the proper maintainers
> subscribed (note that Marcelo is one of them)...

Again, for the others on the cc:, I can't take these in the stable
tree(s) until I get an ack from the maintainers of the code.

Especially given that the KVM developers have told me in the past to not
take any patches unless they send them to me themselves...

greg k-h

Re: [v2.6.32.y 2/2] KVM: x86: fix missing checks in syscall emulation

[Marcelo Tosatti]

On Thu, Mar 22, 2012 at 09:50:42AM +0100, Stefan Bader wrote:
> >From 69712f0c7cbb6363f7b2170fba93945a72d77712 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf@tu-ilmenau.de>
> Date: Thu, 12 Jan 2012 16:43:04 +0100
> Subject: [PATCH 2/2] KVM: x86: fix missing checks in syscall emulation
> 
> On hosts without this patch, 32bit guests will crash (and 64bit guests
> may behave in a wrong way) for example by simply executing following
> nasm-demo-application:
> 
>     [bits 32]
>     global _start
>     SECTION .text
>     _start: syscall
> 
> (I tested it with winxp and linux - both always crashed)
> 
>     Disassembly of section .text:
> 
>     00000000 <_start>:
>        0:   0f 05                   syscall
> 
> The reason seems a missing "invalid opcode"-trap (int6) for the
> syscall opcode "0f05", which is not available on Intel CPUs
> within non-longmodes, as also on some AMD CPUs within legacy-mode.
> (depending on CPU vendor, MSR_EFER and cpuid)
> 
> Because previous mentioned OSs may not engage corresponding
> syscall target-registers (STAR, LSTAR, CSTAR), they remain
> NULL and (non trapping) syscalls are leading to multiple
> faults and finally crashs.
> 
> Depending on the architecture (AMD or Intel) pretended by
> guests, various checks according to vendor's documentation
> are implemented to overcome the current issue and behave
> like the CPUs physical counterparts.
> 
> [mtosatti: cleanup/beautify code]
> 
> Signed-off-by: Stephan Baerwolf <stephan.baerwolf@tu-ilmenau.de>
> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
> 
> (backported from commit c2226fc9e87ba3da060e47333657cd6616652b84 upstream)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  arch/x86/include/asm/kvm_emulate.h |   13 ++++++++
>  arch/x86/kvm/emulate.c             |   57 ++++++++++++++++++++++++++++++++++-
>  2 files changed, 68 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
> index 5d938f9..1f137af 100644
> --- a/arch/x86/include/asm/kvm_emulate.h
> +++ b/arch/x86/include/asm/kvm_emulate.h
> @@ -185,6 +185,19 @@ struct x86_emulate_ctxt {
>  #define X86EMUL_MODE_PROT32   4	/* 32-bit protected mode. */
>  #define X86EMUL_MODE_PROT64   8	/* 64-bit (long) mode.    */
>  
> +/* CPUID vendors */
> +#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx 0x68747541
> +#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx 0x444d4163
> +#define X86EMUL_CPUID_VENDOR_AuthenticAMD_edx 0x69746e65
> +
> +#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx 0x69444d41
> +#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx 0x21726574
> +#define X86EMUL_CPUID_VENDOR_AMDisbetterI_edx 0x74656273
> +
> +#define X86EMUL_CPUID_VENDOR_GenuineIntel_ebx 0x756e6547
> +#define X86EMUL_CPUID_VENDOR_GenuineIntel_ecx 0x6c65746e
> +#define X86EMUL_CPUID_VENDOR_GenuineIntel_edx 0x49656e69
> +
>  /* Host execution mode. */
>  #if defined(CONFIG_X86_32)
>  #define X86EMUL_MODE_HOST X86EMUL_MODE_PROT32
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index 1350e43..10134d2 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -1495,20 +1495,73 @@ setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
>  	ss->present = 1;
>  }
>  
> +static bool syscall_is_enabled(struct x86_emulate_ctxt *ctxt,
> +			       struct x86_emulate_ops *ops)
> +{
> +	u32 eax, ebx, ecx, edx;
> +
> +	/*
> +	 * syscall should always be enabled in longmode - so only become
> +	 * vendor specific (cpuid) if other modes are active...
> +	 */
> +	if (ctxt->mode == X86EMUL_MODE_PROT64)
> +		return true;
> +
> +	eax = 0x00000000;
> +	ecx = 0x00000000;
> +	if (ops->get_cpuid(ctxt->vcpu, &eax, &ebx, &ecx, &edx)) {
> +		/*
> +		 * Intel ("GenuineIntel")
> +		 * remark: Intel CPUs only support "syscall" in 64bit
> +		 * longmode. Also an 64bit guest with a
> +		 * 32bit compat-app running will #UD !! While this
> +		 * behaviour can be fixed (by emulating) into AMD
> +		 * response - CPUs of AMD can't behave like Intel.
> +		 */
> +		if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
> +		    ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
> +		    edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
> +			return false;
> +
> +		/* AMD ("AuthenticAMD") */
> +		if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
> +		    ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
> +		    edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
> +			return true;
> +
> +		/* AMD ("AMDisbetter!") */
> +		if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
> +		    ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
> +		    edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
> +			return true;
> +	}
> +
> +	/* default: (not Intel, not AMD), apply Intel's stricter rules... */
> +	return false;
> +}
> +
>  static int
> -emulate_syscall(struct x86_emulate_ctxt *ctxt)
> +emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
>  {
>  	struct decode_cache *c = &ctxt->decode;
>  	struct kvm_segment cs, ss;
>  	u64 msr_data;
> +	u64 efer = 0;
>  
>  	/* syscall is not available in real mode */
>  	if (c->lock_prefix || ctxt->mode == X86EMUL_MODE_REAL
>  	    || ctxt->mode == X86EMUL_MODE_VM86)
>  		return -1;
>  
> +	if (!(syscall_is_enabled(ctxt, ops)))
> +		return -1;
> +
> +	kvm_x86_ops->get_msr(ctxt->vcpu, MSR_EFER, &efer);
>  	setup_syscalls_segments(ctxt, &cs, &ss);
>  
> +	if (!(efer & EFER_SCE))
> +		return -1;
> +

It should inject an exception (kvm_queue_exception(UD_VECTOR)) instead
of simply looping on the same instruction.

Re: CVE-2012-0045 for 3.2.y, 3.0.y and 2.6.32.y (again)

[Marcelo Tosatti]

v3.0.y and v3.2.y patches are OK, i'll ACK individually
once they're autotested.

On Thu, Mar 22, 2012 at 09:50:40AM +0100, Stefan Bader wrote:
> Resubmitting with more of the proper maintainers
> subscribed (note that Marcelo is one of them)...
> 
> ---
> 
> The following patches fix a KVM guest hang/crash on 32bit guests
> which is present sicne 2.6.32. It was fixed upstream (v3.3) and
> for 3.2.y the upstream versions do apply. Moving back in history
> some more adjustments are required.
> 
> Tested the backports on 32bit hosts and 32bit guests for
> all releases and with 64bit host and 32bit/64bit guest
> for 2.6.32.
> 
> -Stefan

Re: [v2.6.32.y 2/2] KVM: x86: fix missing checks in syscall emulation

[Stefan Bader]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 23.03.2012 01:07, Marcelo Tosatti wrote:
> On Thu, Mar 22, 2012 at 09:50:42AM +0100, Stefan Bader wrote:
>>> From 69712f0c7cbb6363f7b2170fba93945a72d77712 Mon Sep 17 00:00:00 2001
>> From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?=
>> <stephan.baerwolf@tu-ilmenau.de> Date: Thu, 12 Jan 2012 16:43:04 +0100 
>> Subject: [PATCH 2/2] KVM: x86: fix missing checks in syscall emulation
>> 
>> On hosts without this patch, 32bit guests will crash (and 64bit guests 
>> may behave in a wrong way) for example by simply executing following 
>> nasm-demo-application:
>> 
>> [bits 32] global _start SECTION .text _start: syscall
>> 
>> (I tested it with winxp and linux - both always crashed)
>> 
>> Disassembly of section .text:
>> 
>> 00000000 <_start>: 0:   0f 05                   syscall
>> 
>> The reason seems a missing "invalid opcode"-trap (int6) for the syscall
>> opcode "0f05", which is not available on Intel CPUs within non-longmodes,
>> as also on some AMD CPUs within legacy-mode. (depending on CPU vendor,
>> MSR_EFER and cpuid)
>> 
>> Because previous mentioned OSs may not engage corresponding syscall
>> target-registers (STAR, LSTAR, CSTAR), they remain NULL and (non
>> trapping) syscalls are leading to multiple faults and finally crashs.
>> 
>> Depending on the architecture (AMD or Intel) pretended by guests, various
>> checks according to vendor's documentation are implemented to overcome
>> the current issue and behave like the CPUs physical counterparts.
>> 
>> [mtosatti: cleanup/beautify code]
>> 
>> Signed-off-by: Stephan Baerwolf <stephan.baerwolf@tu-ilmenau.de> 
>> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
>> 
>> (backported from commit c2226fc9e87ba3da060e47333657cd6616652b84
>> upstream) Signed-off-by: Stefan Bader <stefan.bader@canonical.com> --- 
>> arch/x86/include/asm/kvm_emulate.h |   13 ++++++++ arch/x86/kvm/emulate.c
>> |   57 ++++++++++++++++++++++++++++++++++- 2 files changed, 68
>> insertions(+), 2 deletions(-)
>> 
>> diff --git a/arch/x86/include/asm/kvm_emulate.h
>> b/arch/x86/include/asm/kvm_emulate.h index 5d938f9..1f137af 100644 ---
>> a/arch/x86/include/asm/kvm_emulate.h +++
>> b/arch/x86/include/asm/kvm_emulate.h @@ -185,6 +185,19 @@ struct
>> x86_emulate_ctxt { #define X86EMUL_MODE_PROT32   4	/* 32-bit protected
>> mode. */ #define X86EMUL_MODE_PROT64   8	/* 64-bit (long) mode.    */
>> 
>> +/* CPUID vendors */ +#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx
>> 0x68747541 +#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx 0x444d4163 
>> +#define X86EMUL_CPUID_VENDOR_AuthenticAMD_edx 0x69746e65 + +#define
>> X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx 0x69444d41 +#define
>> X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx 0x21726574 +#define
>> X86EMUL_CPUID_VENDOR_AMDisbetterI_edx 0x74656273 + +#define
>> X86EMUL_CPUID_VENDOR_GenuineIntel_ebx 0x756e6547 +#define
>> X86EMUL_CPUID_VENDOR_GenuineIntel_ecx 0x6c65746e +#define
>> X86EMUL_CPUID_VENDOR_GenuineIntel_edx 0x49656e69 + /* Host execution
>> mode. */ #if defined(CONFIG_X86_32) #define X86EMUL_MODE_HOST
>> X86EMUL_MODE_PROT32 diff --git a/arch/x86/kvm/emulate.c
>> b/arch/x86/kvm/emulate.c index 1350e43..10134d2 100644 ---
>> a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -1495,20
>> +1495,73 @@ setup_syscalls_segments(struct x86_emulate_ctxt *ctxt, 
>> ss->present = 1; }
>> 
>> +static bool syscall_is_enabled(struct x86_emulate_ctxt *ctxt, +
>> struct x86_emulate_ops *ops) +{ +	u32 eax, ebx, ecx, edx; + +	/* +	 *
>> syscall should always be enabled in longmode - so only become +	 * vendor
>> specific (cpuid) if other modes are active... +	 */ +	if (ctxt->mode ==
>> X86EMUL_MODE_PROT64) +		return true; + +	eax = 0x00000000; +	ecx =
>> 0x00000000; +	if (ops->get_cpuid(ctxt->vcpu, &eax, &ebx, &ecx, &edx)) { +
>> /* +		 * Intel ("GenuineIntel") +		 * remark: Intel CPUs only support
>> "syscall" in 64bit +		 * longmode. Also an 64bit guest with a +		 * 32bit
>> compat-app running will #UD !! While this +		 * behaviour can be fixed
>> (by emulating) into AMD +		 * response - CPUs of AMD can't behave like
>> Intel. +		 */ +		if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx && +
>> ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx && +		    edx ==
>> X86EMUL_CPUID_VENDOR_GenuineIntel_edx) +			return false; + +		/* AMD
>> ("AuthenticAMD") */ +		if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx
>> && +		    ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx && +		    edx ==
>> X86EMUL_CPUID_VENDOR_AuthenticAMD_edx) +			return true; + +		/* AMD
>> ("AMDisbetter!") */ +		if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx
>> && +		    ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx && +		    edx ==
>> X86EMUL_CPUID_VENDOR_AMDisbetterI_edx) +			return true; +	} + +	/*
>> default: (not Intel, not AMD), apply Intel's stricter rules... */ +
>> return false; +} + static int -emulate_syscall(struct x86_emulate_ctxt
>> *ctxt) +emulate_syscall(struct x86_emulate_ctxt *ctxt, struct
>> x86_emulate_ops *ops) { struct decode_cache *c = &ctxt->decode; struct
>> kvm_segment cs, ss; u64 msr_data; +	u64 efer = 0;
>> 
>> /* syscall is not available in real mode */ if (c->lock_prefix ||
>> ctxt->mode == X86EMUL_MODE_REAL || ctxt->mode == X86EMUL_MODE_VM86) 
>> return -1;
>> 
>> +	if (!(syscall_is_enabled(ctxt, ops))) +		return -1; + +
>> kvm_x86_ops->get_msr(ctxt->vcpu, MSR_EFER, &efer); 
>> setup_syscalls_segments(ctxt, &cs, &ss);
>> 
>> +	if (!(efer & EFER_SCE)) +		return -1; +
> 
> It should inject an exception (kvm_queue_exception(UD_VECTOR)) instead of
> simply looping on the same instruction.
> 
> 
Hm, ok. I did not want to exit differently from what is done in the real mode
case. Practically (in testing) it seemed to end up having the same effect on
the test case.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJPbB+6AAoJEOhnXe7L7s6jJUQP/39+Q9YQxVsd4A/SH0R7XDOS
2YWwrQLkt3JldRD/sYCj4GY8x3r3cdCZud0dBpML8GkiP65dryc9momrQJquKNwI
cDxXMnZucMQCUV1hDL/P0VrB3Mfvj3eVn4xZlSNgkSdmFmFXRpiiA04EVdHAVx1H
f7VWIDNA+wISH59nCwzV4lOv/CrUx2MBkYBNcoS3BKmkiyftn/WFLIZA7+T9tJ2Q
/kzCp+KHEipU30CGR3lEuCdSWf1GrhRIZlqdKx9JzVIXmmVMy9olNz1GHbu3agXm
t4JIjHUlxtqfB9G1VQZWgy18vcUJWlzO/WWFtv5YHRWE1qXv1JdI1vEKaYzMMZVP
Io4rCSeuh/lXwdO+DM344KZQ+CzQv0ZyCd14O13gUt+zrCcuMvEye1UH/7D9pSw2
9WBEcj7hQLcSkAYgLHqWnuoNmjqGbzr/5GmGkfQ1+JB91kS7yA4NzbbVbTZI+oOK
BBkqIwy4702pf2wAUeyVFo990O4jF8nszbIqoCvh2N7JdMow30D6/iPN6JKsz2D5
vJGKOmGRlS0CkmCHRM0BaZc7TYqnd9Gg8EOirHVgxi6XUCHXMO7W0gpIGwWQU3Jr
5rxkuEctallXuTgZ7R1sOxeL5+v4hCHIGqMRgX1j3O3ThyZ6fYa7Ii/c6mDNlfle
ptHXJcpKOfs7sYeYg0w5
=7nbx
-----END PGP SIGNATURE-----

Re: [v3.0.y 1/2] KVM: x86: extend "struct x86_emulate_ops" with "get_cpuid"

[Marcelo Tosatti]

On Thu, Mar 22, 2012 at 09:50:43AM +0100, Stefan Bader wrote:
> >From eaee58e1433e1b16e686cfcdcbc207d4310a239f Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf@tu-ilmenau.de>
> Date: Thu, 12 Jan 2012 16:43:03 +0100
> Subject: [PATCH 7/8] KVM: x86: extend "struct x86_emulate_ops" with
>  "get_cpuid"
> 
> In order to be able to proceed checks on CPU-specific properties
> within the emulator, function "get_cpuid" is introduced.
> With "get_cpuid" it is possible to virtually call the guests
> "cpuid"-opcode without changing the VM's context.
> 
> [mtosatti: cleanup/beautify code]
> 
> Signed-off-by: Stephan Baerwolf <stephan.baerwolf@tu-ilmenau.de>
> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
> 
> (cherry-picked from commit bdb42f5afebe208eae90406959383856ae2caf2b upstream)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  arch/x86/include/asm/kvm_emulate.h |    3 +++
>  arch/x86/kvm/x86.c                 |   23 +++++++++++++++++++++++
>  2 files changed, 26 insertions(+), 0 deletions(-)
> 
> diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
> index 0049211..18e54f1 100644
> --- a/arch/x86/include/asm/kvm_emulate.h
> +++ b/arch/x86/include/asm/kvm_emulate.h
> @@ -189,6 +189,9 @@ struct x86_emulate_ops {
>  	int (*intercept)(struct x86_emulate_ctxt *ctxt,
>  			 struct x86_instruction_info *info,
>  			 enum x86_intercept_stage stage);
> +
> +	bool (*get_cpuid)(struct x86_emulate_ctxt *ctxt,
> +			 u32 *eax, u32 *ebx, u32 *ecx, u32 *edx);
>  };
>  
>  typedef u32 __attribute__((vector_size(16))) sse128_t;
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index bc58ede..8e15578 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -4436,6 +4436,28 @@ static int emulator_intercept(struct x86_emulate_ctxt *ctxt,
>  	return kvm_x86_ops->check_intercept(emul_to_vcpu(ctxt), info, stage);
>  }
>  
> +static bool emulator_get_cpuid(struct x86_emulate_ctxt *ctxt,
> +			       u32 *eax, u32 *ebx, u32 *ecx, u32 *edx)
> +{
> +	struct kvm_cpuid_entry2 *cpuid = NULL;
> +
> +	if (eax && ecx)
> +		cpuid = kvm_find_cpuid_entry(emul_to_vcpu(ctxt),
> +					    *eax, *ecx);
> +
> +	if (cpuid) {
> +		*eax = cpuid->eax;
> +		*ecx = cpuid->ecx;
> +		if (ebx)
> +			*ebx = cpuid->ebx;
> +		if (edx)
> +			*edx = cpuid->edx;
> +		return true;
> +	}
> +
> +	return false;
> +}
> +
>  static struct x86_emulate_ops emulate_ops = {
>  	.read_std            = kvm_read_guest_virt_system,
>  	.write_std           = kvm_write_guest_virt_system,
> @@ -4466,6 +4488,7 @@ static struct x86_emulate_ops emulate_ops = {
>  	.get_fpu             = emulator_get_fpu,
>  	.put_fpu             = emulator_put_fpu,
>  	.intercept           = emulator_intercept,
> +	.get_cpuid           = emulator_get_cpuid,
>  };
>  
>  static void cache_all_regs(struct kvm_vcpu *vcpu)

ACK

Re: [v3.0.y 2/2] KVM: x86: fix missing checks in syscall emulation

[Marcelo Tosatti]

On Thu, Mar 22, 2012 at 09:50:44AM +0100, Stefan Bader wrote:
> >From 30870b1a5d29c07b75843c0b667fa29a63d818a4 Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf@tu-ilmenau.de>
> Date: Thu, 12 Jan 2012 16:43:04 +0100
> Subject: [PATCH 8/8] KVM: x86: fix missing checks in syscall emulation
> 
> On hosts without this patch, 32bit guests will crash (and 64bit guests
> may behave in a wrong way) for example by simply executing following
> nasm-demo-application:
> 
>     [bits 32]
>     global _start
>     SECTION .text
>     _start: syscall
> 
> (I tested it with winxp and linux - both always crashed)
> 
>     Disassembly of section .text:
> 
>     00000000 <_start>:
>        0:   0f 05                   syscall
> 
> The reason seems a missing "invalid opcode"-trap (int6) for the
> syscall opcode "0f05", which is not available on Intel CPUs
> within non-longmodes, as also on some AMD CPUs within legacy-mode.
> (depending on CPU vendor, MSR_EFER and cpuid)
> 
> Because previous mentioned OSs may not engage corresponding
> syscall target-registers (STAR, LSTAR, CSTAR), they remain
> NULL and (non trapping) syscalls are leading to multiple
> faults and finally crashs.
> 
> Depending on the architecture (AMD or Intel) pretended by
> guests, various checks according to vendor's documentation
> are implemented to overcome the current issue and behave
> like the CPUs physical counterparts.
> 
> [mtosatti: cleanup/beautify code]
> 
> Signed-off-by: Stephan Baerwolf <stephan.baerwolf@tu-ilmenau.de>
> Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
> 
> (backported from commit c2226fc9e87ba3da060e47333657cd6616652b84 upstream)
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  arch/x86/include/asm/kvm_emulate.h |   13 +++++++++
>  arch/x86/kvm/emulate.c             |   51 ++++++++++++++++++++++++++++++++++++
>  2 files changed, 64 insertions(+), 0 deletions(-)
> 
> diff --git a/arch/x86/include/asm/kvm_emulate.h b/arch/x86/include/asm/kvm_emulate.h
> index 18e54f1..0ab6a4d 100644
> --- a/arch/x86/include/asm/kvm_emulate.h
> +++ b/arch/x86/include/asm/kvm_emulate.h
> @@ -301,6 +301,19 @@ struct x86_emulate_ctxt {
>  #define X86EMUL_MODE_PROT     (X86EMUL_MODE_PROT16|X86EMUL_MODE_PROT32| \
>  			       X86EMUL_MODE_PROT64)
>  
> +/* CPUID vendors */
> +#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx 0x68747541
> +#define X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx 0x444d4163
> +#define X86EMUL_CPUID_VENDOR_AuthenticAMD_edx 0x69746e65
> +
> +#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx 0x69444d41
> +#define X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx 0x21726574
> +#define X86EMUL_CPUID_VENDOR_AMDisbetterI_edx 0x74656273
> +
> +#define X86EMUL_CPUID_VENDOR_GenuineIntel_ebx 0x756e6547
> +#define X86EMUL_CPUID_VENDOR_GenuineIntel_ecx 0x6c65746e
> +#define X86EMUL_CPUID_VENDOR_GenuineIntel_edx 0x49656e69
> +
>  enum x86_intercept_stage {
>  	X86_ICTP_NONE = 0,   /* Allow zero-init to not match anything */
>  	X86_ICPT_PRE_EXCEPT,
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index adc9867..3e7d913 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -1901,6 +1901,51 @@ setup_syscalls_segments(struct x86_emulate_ctxt *ctxt,
>  	ss->p = 1;
>  }
>  
> +static bool em_syscall_is_enabled(struct x86_emulate_ctxt *ctxt)
> +{
> +	struct x86_emulate_ops *ops = ctxt->ops;
> +	u32 eax, ebx, ecx, edx;
> +
> +	/*
> +	 * syscall should always be enabled in longmode - so only become
> +	 * vendor specific (cpuid) if other modes are active...
> +	 */
> +	if (ctxt->mode == X86EMUL_MODE_PROT64)
> +		return true;
> +
> +	eax = 0x00000000;
> +	ecx = 0x00000000;
> +	if (ops->get_cpuid(ctxt, &eax, &ebx, &ecx, &edx)) {
> +		/*
> +		 * Intel ("GenuineIntel")
> +		 * remark: Intel CPUs only support "syscall" in 64bit
> +		 * longmode. Also an 64bit guest with a
> +		 * 32bit compat-app running will #UD !! While this
> +		 * behaviour can be fixed (by emulating) into AMD
> +		 * response - CPUs of AMD can't behave like Intel.
> +		 */
> +		if (ebx == X86EMUL_CPUID_VENDOR_GenuineIntel_ebx &&
> +		    ecx == X86EMUL_CPUID_VENDOR_GenuineIntel_ecx &&
> +		    edx == X86EMUL_CPUID_VENDOR_GenuineIntel_edx)
> +			return false;
> +
> +		/* AMD ("AuthenticAMD") */
> +		if (ebx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ebx &&
> +		    ecx == X86EMUL_CPUID_VENDOR_AuthenticAMD_ecx &&
> +		    edx == X86EMUL_CPUID_VENDOR_AuthenticAMD_edx)
> +			return true;
> +
> +		/* AMD ("AMDisbetter!") */
> +		if (ebx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ebx &&
> +		    ecx == X86EMUL_CPUID_VENDOR_AMDisbetterI_ecx &&
> +		    edx == X86EMUL_CPUID_VENDOR_AMDisbetterI_edx)
> +			return true;
> +	}
> +
> +	/* default: (not Intel, not AMD), apply Intel's stricter rules... */
> +	return false;
> +}
> +
>  static int
>  emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
>  {
> @@ -1915,9 +1960,15 @@ emulate_syscall(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops)
>  	    ctxt->mode == X86EMUL_MODE_VM86)
>  		return emulate_ud(ctxt);
>  
> +	if (!(em_syscall_is_enabled(ctxt)))
> +		return emulate_ud(ctxt);
> +
>  	ops->get_msr(ctxt, MSR_EFER, &efer);
>  	setup_syscalls_segments(ctxt, ops, &cs, &ss);
>  
> +	if (!(efer & EFER_SCE))
> +		return emulate_ud(ctxt);
> +
>  	ops->get_msr(ctxt, MSR_STAR, &msr_data);
>  	msr_data >>= 32;
>  	cs_sel = (u16)(msr_data & 0xfffc);

ACK

Re: [v3.0.y 1/2] KVM: x86: extend "struct x86_emulate_ops" with "get_cpuid"

[Greg KH]

On Thu, Mar 22, 2012 at 09:50:43AM +0100, Stefan Bader wrote:
> >From eaee58e1433e1b16e686cfcdcbc207d4310a239f Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?= <stephan.baerwolf@tu-ilmenau.de>
> Date: Thu, 12 Jan 2012 16:43:03 +0100
> Subject: [PATCH 7/8] KVM: x86: extend "struct x86_emulate_ops" with
>  "get_cpuid"

Stefan, what's with the crappy header here?  And the Subject?  Ick.

Come on, forcing me to hand-edit your patches just makes me grumpy...

greg k-h

Re: [v3.0.y 1/2] KVM: x86: extend "struct x86_emulate_ops" with "get_cpuid"

[Stefan Bader]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 23.03.2012 18:22, Greg KH wrote:
> On Thu, Mar 22, 2012 at 09:50:43AM +0100, Stefan Bader wrote:
>>> From eaee58e1433e1b16e686cfcdcbc207d4310a239f Mon Sep 17 00:00:00 2001
>> From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?=
>> <stephan.baerwolf@tu-ilmenau.de> Date: Thu, 12 Jan 2012 16:43:03 +0100 
>> Subject: [PATCH 7/8] KVM: x86: extend "struct x86_emulate_ops" with 
>> "get_cpuid"
> 
> Stefan, what's with the crappy header here?  And the Subject?  Ick.
> 
> Come on, forcing me to hand-edit your patches just makes me grumpy...
> 
> greg k-h

Greg, this is exactly the patch you get by using git format-patch and send it
away with git send-email. So I would say any grumpy or constructive comments
should go to the git development mailing list. ;)

- -Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJPbLc5AAoJEOhnXe7L7s6jpTQQAMgvwLv2kinndX99c925ubY8
3LA0/nbY1HHQFsRkfN2MTR8Q1mgBCj6HktqYRMnlCgzAbfWCjawKuk/CXE8+zm7h
X8A0KrgFttJV2hnxTleKKUqhA5nTLpInEVKa62PSRL+UKztugWN1T+mFoHFlMbE2
4X2PbJzyr+lyP6goJAhD02/GFdE+B82UlASfdYhPITn8FcdibQxmP8AIKq6DAcIt
mju0P0IDWOl5jXrCTWNoNCT+1BYw9sJ4PjU9Mi99Mpk24OwIElGE3wgJN46XCKCN
GuSAogGipEemg2DyQQasXNoCdcPCxLeQzQcYlbrLRwhLKtI/0D8y7gWjlQmIdpFM
KIR07PTx2JHTSlMMRizcwFDVQtwhzvdqmJ0kXNy0Vh0mRvyEPH40NGMDIU1OsZbQ
1403s5SHxVxZI3D4CZAC6qyxcgzZBkub77fDeyuUX01FA56DUgUClZRqOYkxNmcY
wdS0ct7biPbN2Du35ITSkc952HvDyh9TT6P6OtcpbhaLoJacob4fp0/Iq0iGNOLy
3nyGgQA3hSemRnRvjNnl4F6jdZ89jY+wpgZUn3a8QVXhNmT5+ElQJrRjScJlf07Y
ycm2Y/VbMaYoDh6qFQl9x+VSjyjoG44vueVoHls1MORAWc//LkXerhhRwfcFWs1I
Ql8nhIrlu/06jqGAOK8R
=Ed83
-----END PGP SIGNATURE-----

Re: [v3.0.y 1/2] KVM: x86: extend "struct x86_emulate_ops" with "get_cpuid"

[Greg KH]

On Fri, Mar 23, 2012 at 06:47:38PM +0100, Stefan Bader wrote:
> On 23.03.2012 18:22, Greg KH wrote:
> > On Thu, Mar 22, 2012 at 09:50:43AM +0100, Stefan Bader wrote:
> >>> From eaee58e1433e1b16e686cfcdcbc207d4310a239f Mon Sep 17 00:00:00 2001
> >> From: =?UTF-8?q?Stephan=20B=C3=A4rwolf?=
> >> <stephan.baerwolf@tu-ilmenau.de> Date: Thu, 12 Jan 2012 16:43:03 +0100 
> >> Subject: [PATCH 7/8] KVM: x86: extend "struct x86_emulate_ops" with 
> >> "get_cpuid"
> > 
> > Stefan, what's with the crappy header here?  And the Subject?  Ick.
> > 
> > Come on, forcing me to hand-edit your patches just makes me grumpy...
> > 
> > greg k-h
> 
> Greg, this is exactly the patch you get by using git format-patch and send it
> away with git send-email. So I would say any grumpy or constructive comments
> should go to the git development mailing list. ;)

No it isn't at all.  That's not how the patch looks using git-send-email
for anything I've ever sent out.

Don't blame the tool, use it correctly.

Hint, look at the 7/8 crap, what is that there for?

greg k-h