From: "Jan Beulich" <JBeulich@suse.com>
To: george.dunlap@citrix.com
Cc: George Dunlap <George.Dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Wei Liu <wei.liu2@citrix.com>,
xen-devel <xen-devel@lists.xenproject.org>,
Roger Pau Monne <roger.pau@citrix.com>
Subject: Re: [PATCH v3] x86emul/fuzz: add a state sanity checking function
Date: Mon, 27 May 2019 05:41:44 -0600 [thread overview]
Message-ID: <5CEBCCF80200007800232C34@prv1-mh.provo.novell.com> (raw)
In-Reply-To: <6fc3c72b-5111-04d0-7ba9-3c7d545c5dc1@citrix.com>
>>> On 27.05.19 at 12:51, <george.dunlap@citrix.com> wrote:
> On 4/2/19 2:01 PM, Jan Beulich wrote:
>> This is to accompany sanitize_input(). Just like for initial state we
>> want to have state between two emulated insns sane, at least as far as
>> assumptions in the main emulator go. Do minimal checking after segment
>> register, CR, and MSR writes, and roll back to the old value in case of
>> failure (raising #GP(0) at the same time).
>>
>> In the particular case observed, a CR0 write clearing CR0.PE was
>> followed by a VEX-encoded insn, which the decoder accepts based on
>> guest address size, restricting things just outside of the 64-bit case
>> (real and virtual modes don't allow VEX-encoded insns). Subsequently
>> _get_fpu() would then assert that CR0.PE must be set (and EFLAGS.VM
>> clear) when trying to invoke YMM, ZMM, or OPMASK state.
>>
>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>
> Reviewed-by: George Dunlap <george.dunlap@citrix.com>
Thanks.
> That said, I wonder if there's a way to avoid the duplication between
> sanitize_input() and check_state(). Another option would be to rework
> sanitize_input() (perhaps as sanizite_state()):
> * Accept a parameter saying whether to do optional changes (like
> CANONICALIZE_MAYBE)
> * Return a boolean saying whether any state was in fact sanitized.
>
> Then the current callers of check_state() could instead call
> sanitize_state(), and throw an exception if it returns 1. (Or some
> variation thereof.)
I did consider this at the time, but the two functions aren't doing
exactly the same validation. For example this
/* EFLAGS.VM not available in long mode */
if ( long_mode_active(ctxt) )
regs->rflags &= ~X86_EFLAGS_VM;
has no equivalent in check_state(), for it being an emulator bug
to ever set EFLAGS.VM in long mode. I therefore thought it would
be better to keep them separate despite there being partial
redundancy. If the set of checks grows, we could consider
factoring out the common subset into a helper function.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
WARNING: multiple messages have this Message-ID (diff)
From: "Jan Beulich" <JBeulich@suse.com>
To: <george.dunlap@citrix.com>
Cc: George Dunlap <George.Dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Wei Liu <wei.liu2@citrix.com>,
xen-devel <xen-devel@lists.xenproject.org>,
Roger Pau Monne <roger.pau@citrix.com>
Subject: Re: [Xen-devel] [PATCH v3] x86emul/fuzz: add a state sanity checking function
Date: Mon, 27 May 2019 05:41:44 -0600 [thread overview]
Message-ID: <5CEBCCF80200007800232C34@prv1-mh.provo.novell.com> (raw)
Message-ID: <20190527114144.n5OOjVWbdnby6hrvWT1Uit6GUjaKxmbp66qdCx2Ri6k@z> (raw)
In-Reply-To: <6fc3c72b-5111-04d0-7ba9-3c7d545c5dc1@citrix.com>
>>> On 27.05.19 at 12:51, <george.dunlap@citrix.com> wrote:
> On 4/2/19 2:01 PM, Jan Beulich wrote:
>> This is to accompany sanitize_input(). Just like for initial state we
>> want to have state between two emulated insns sane, at least as far as
>> assumptions in the main emulator go. Do minimal checking after segment
>> register, CR, and MSR writes, and roll back to the old value in case of
>> failure (raising #GP(0) at the same time).
>>
>> In the particular case observed, a CR0 write clearing CR0.PE was
>> followed by a VEX-encoded insn, which the decoder accepts based on
>> guest address size, restricting things just outside of the 64-bit case
>> (real and virtual modes don't allow VEX-encoded insns). Subsequently
>> _get_fpu() would then assert that CR0.PE must be set (and EFLAGS.VM
>> clear) when trying to invoke YMM, ZMM, or OPMASK state.
>>
>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>
> Reviewed-by: George Dunlap <george.dunlap@citrix.com>
Thanks.
> That said, I wonder if there's a way to avoid the duplication between
> sanitize_input() and check_state(). Another option would be to rework
> sanitize_input() (perhaps as sanizite_state()):
> * Accept a parameter saying whether to do optional changes (like
> CANONICALIZE_MAYBE)
> * Return a boolean saying whether any state was in fact sanitized.
>
> Then the current callers of check_state() could instead call
> sanitize_state(), and throw an exception if it returns 1. (Or some
> variation thereof.)
I did consider this at the time, but the two functions aren't doing
exactly the same validation. For example this
/* EFLAGS.VM not available in long mode */
if ( long_mode_active(ctxt) )
regs->rflags &= ~X86_EFLAGS_VM;
has no equivalent in check_state(), for it being an emulator bug
to ever set EFLAGS.VM in long mode. I therefore thought it would
be better to keep them separate despite there being partial
redundancy. If the set of checks grows, we could consider
factoring out the common subset into a helper function.
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2019-05-27 11:41 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-29 14:54 [PATCH] x86emul/fuzz: add a state sanitization function Jan Beulich
2019-03-29 15:10 ` George Dunlap
2019-03-29 15:25 ` Jan Beulich
2019-04-01 7:46 ` [PATCH v2] " Jan Beulich
2019-04-01 10:44 ` George Dunlap
2019-04-01 12:05 ` Jan Beulich
2019-04-02 13:01 ` [PATCH v3] x86emul/fuzz: add a state sanity checking function Jan Beulich
2019-05-27 10:51 ` George Dunlap
2019-05-27 10:51 ` [Xen-devel] " George Dunlap
2019-05-27 11:41 ` Jan Beulich [this message]
2019-05-27 11:41 ` Jan Beulich
[not found] ` <5CA35D1302000000001041AA@prv1-mh.provo.novell.com>
[not found] ` <5CA35D130200007800232A80@prv1-mh.provo.novell.com>
2019-05-27 9:27 ` Ping: " Jan Beulich
2019-05-27 9:27 ` [Xen-devel] " Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5CEBCCF80200007800232C34@prv1-mh.provo.novell.com \
--to=jbeulich@suse.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=george.dunlap@citrix.com \
--cc=roger.pau@citrix.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.