From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-21.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT, USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7C5DC433E6 for ; Sat, 13 Feb 2021 01:06:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5ED4C64E0A for ; Sat, 13 Feb 2021 01:06:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232183AbhBMBGS (ORCPT ); Fri, 12 Feb 2021 20:06:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33028 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231273AbhBMBGI (ORCPT ); Fri, 12 Feb 2021 20:06:08 -0500 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 489D4C061756 for ; Fri, 12 Feb 2021 17:05:28 -0800 (PST) Received: by mail-yb1-xb49.google.com with SMTP id 127so1546177ybc.19 for ; Fri, 12 Feb 2021 17:05:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=sender:reply-to:date:message-id:mime-version:subject:from:to:cc; bh=QgASd7HymXzjEEBUQWt6fGnHVl+PB7ICzUP2iM3Rrog=; b=Tgygxik75WgrNARZrV/5F5ho2r1q1SBdQNic9CuSEBlCZFZP8DCDksNswPV0ke0Wrk 3TdJSbrmfHLFiOPpsnA9jvJTdt/t2tSp5HZIT2tGjnQleO1DHaoVhO6EYO9uyKBZdxMR v2mBO6bq4otn26wi7JIzl3iCdfCPZIogwL9AhPwg8OAokLcIxFAj2GEvZ/iGjJv/QZsf AazciC9HWQ9px4fYON8kQyfB7/Ihe+M5hw9rVy9Ug4Go0DDUerKKRDYhlcLYPabvcWdU VLcZcdrMwPAdZjqY5gqtMfRH4IEe2CB3RLMR12WAO17pWkG7IMp4YtKqpOih8fKeC8A4 iIMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:reply-to:date:message-id:mime-version :subject:from:to:cc; bh=QgASd7HymXzjEEBUQWt6fGnHVl+PB7ICzUP2iM3Rrog=; b=e8+zh+dGGMJct//EZsFLWOJ6HWLHHtiSQpyaJM03pHj9Xe37RiRsM04C/sD8xcye4/ C12+U99utfWcTdqPQGhy4syf2Y3UlUx3zVeJAJVTKFyW1LmZBYCq7QKQNpr/87lyJEHn 2tZHqA37JB0AVHn2FWS4RHjIfUMytUvKjgUWp9VM7s+b8Hr9XDsHft9K/BUHk/XqXQMS TAbq5e1Xlh0eTTzdtFJEwrddBMVhYRAT3UbmWELTkcKi1+WrTlLoot2FN8tskNi4XL+1 0t1dRbHz/Gn+/VMKETFOoaXTK95F8YRIDAPW0aw2iwqU6NGKuLaL2Uft7QuyVYt+ewY7 LXCA== X-Gm-Message-State: AOAM533UkxcGe7ODwIdlyOiqjg0pQpp3xwowxPDM785G6S7Oh1n00mHh K6A3IlbI0YvCtMLBjqb39kaKkhG8Y78= X-Google-Smtp-Source: ABdhPJwYPLHaHaSEOaf5FEJAASrdsX6q+bTh8H9y+wEWFBwMBk5QOY6FIa2H9hhe7TWUMlnMPGrYPUVKHyU= Sender: "seanjc via sendgmr" X-Received: from seanjc798194.pdx.corp.google.com ([2620:15c:f:10:b407:1780:13d2:b27]) (user=seanjc job=sendgmr) by 2002:a25:b41:: with SMTP id 62mr7713296ybl.34.1613178327442; Fri, 12 Feb 2021 17:05:27 -0800 (PST) Reply-To: Sean Christopherson Date: Fri, 12 Feb 2021 17:05:09 -0800 Message-Id: <20210213010518.1682691-1-seanjc@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.30.0.478.g8a0d178c01-goog Subject: [PATCH 0/9] KVM: x86: Fixes for (benign?) truncation bugs From: Sean Christopherson To: Paolo Bonzini Cc: Sean Christopherson , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Babu Moger , Joao Martins , David Woodhouse Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Patches 01 and 02 fix theoretical bugs related to loading CRs through the emulator. The rest of the patches are a bunch of small fixes for cases where KVM reads/writes a 64-bit register outside of 64-bit mode. I stumbled on this when puzzling over commit 0107973a80ad ("KVM: x86: Introduce cr3_lm_rsvd_bits in kvm_vcpu_arch"), which stated that SEV guests failed to boot on PCID-enabled hosts. Why only PCID hosts? After much staring, I realized that the initial CR3 load in rsm_enter_protected_mode() would skip the MAXPHYADDR check due to the vCPU not being in long mode. But due to the ordering problems with PCID, when PCID is enabled in the guest, the second load of CR3 would be done with long mode enabled and thus hit the SEV C-bit bug. Changing kvm_set_cr3() made me look at the callers, and seeing that SVM didn't properly truncate the value made me look at everything else, and here we are. Note, I strongly suspect the emulator still has bugs. But, unless the guest is deliberately trying to hit these types of bugs, even the ones fixed here, they're likely benign. I figured I was more likely to break something than I was to fix something by diving into the emulator, so I left it alone. For now. :-) P.S. A few of the segmentation tests in kvm-unit-tests fail with unrestricted guest disabled, but those failure go back to at least v5.9. I'll bisect 'em next week. Sean Christopherson (9): KVM: x86: Remove emulator's broken checks on CR0/CR3/CR4 loads KVM: x86: Check CR3 GPA for validity regardless of vCPU mode KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode KVM: VMX: Truncate GPR value for DR and CR reads in !64-bit mode KVM: nVMX: Truncate bits 63:32 of VMCS field on nested check in !64-bit KVM: nVMX: Truncate base/index GPR value on address calc in !64-bit KVM: x86/xen: Drop RAX[63:32] when processing hypercall KVM: SVM: Use default rAX size for INVLPGA emulation KVM: x86: Rename GPR accessors to make mode-aware variants the defaults arch/x86/kvm/emulate.c | 68 +---------------------------------- arch/x86/kvm/kvm_cache_regs.h | 19 ++++++---- arch/x86/kvm/svm/svm.c | 11 ++++-- arch/x86/kvm/vmx/nested.c | 14 ++++---- arch/x86/kvm/vmx/vmx.c | 6 ++-- arch/x86/kvm/x86.c | 19 ++++++---- arch/x86/kvm/x86.h | 8 ++--- 7 files changed, 47 insertions(+), 98 deletions(-) -- 2.30.0.478.g8a0d178c01-goog