From: "Jan Beulich" <JBeulich@suse.com> To: george.dunlap@citrix.com Cc: George Dunlap <George.Dunlap@eu.citrix.com>, Andrew Cooper <andrew.cooper3@citrix.com>, Wei Liu <wei.liu2@citrix.com>, xen-devel <xen-devel@lists.xenproject.org>, Roger Pau Monne <roger.pau@citrix.com> Subject: Re: [PATCH v3] x86emul/fuzz: add a state sanity checking function Date: Mon, 27 May 2019 05:41:44 -0600 [thread overview] Message-ID: <5CEBCCF80200007800232C34@prv1-mh.provo.novell.com> (raw) In-Reply-To: <6fc3c72b-5111-04d0-7ba9-3c7d545c5dc1@citrix.com> >>> On 27.05.19 at 12:51, <george.dunlap@citrix.com> wrote: > On 4/2/19 2:01 PM, Jan Beulich wrote: >> This is to accompany sanitize_input(). Just like for initial state we >> want to have state between two emulated insns sane, at least as far as >> assumptions in the main emulator go. Do minimal checking after segment >> register, CR, and MSR writes, and roll back to the old value in case of >> failure (raising #GP(0) at the same time). >> >> In the particular case observed, a CR0 write clearing CR0.PE was >> followed by a VEX-encoded insn, which the decoder accepts based on >> guest address size, restricting things just outside of the 64-bit case >> (real and virtual modes don't allow VEX-encoded insns). Subsequently >> _get_fpu() would then assert that CR0.PE must be set (and EFLAGS.VM >> clear) when trying to invoke YMM, ZMM, or OPMASK state. >> >> Signed-off-by: Jan Beulich <jbeulich@suse.com> > > Reviewed-by: George Dunlap <george.dunlap@citrix.com> Thanks. > That said, I wonder if there's a way to avoid the duplication between > sanitize_input() and check_state(). Another option would be to rework > sanitize_input() (perhaps as sanizite_state()): > * Accept a parameter saying whether to do optional changes (like > CANONICALIZE_MAYBE) > * Return a boolean saying whether any state was in fact sanitized. > > Then the current callers of check_state() could instead call > sanitize_state(), and throw an exception if it returns 1. (Or some > variation thereof.) I did consider this at the time, but the two functions aren't doing exactly the same validation. For example this /* EFLAGS.VM not available in long mode */ if ( long_mode_active(ctxt) ) regs->rflags &= ~X86_EFLAGS_VM; has no equivalent in check_state(), for it being an emulator bug to ever set EFLAGS.VM in long mode. I therefore thought it would be better to keep them separate despite there being partial redundancy. If the set of checks grows, we could consider factoring out the common subset into a helper function. Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
WARNING: multiple messages have this Message-ID (diff)
From: "Jan Beulich" <JBeulich@suse.com> To: <george.dunlap@citrix.com> Cc: George Dunlap <George.Dunlap@eu.citrix.com>, Andrew Cooper <andrew.cooper3@citrix.com>, Wei Liu <wei.liu2@citrix.com>, xen-devel <xen-devel@lists.xenproject.org>, Roger Pau Monne <roger.pau@citrix.com> Subject: Re: [Xen-devel] [PATCH v3] x86emul/fuzz: add a state sanity checking function Date: Mon, 27 May 2019 05:41:44 -0600 [thread overview] Message-ID: <5CEBCCF80200007800232C34@prv1-mh.provo.novell.com> (raw) Message-ID: <20190527114144.n5OOjVWbdnby6hrvWT1Uit6GUjaKxmbp66qdCx2Ri6k@z> (raw) In-Reply-To: <6fc3c72b-5111-04d0-7ba9-3c7d545c5dc1@citrix.com> >>> On 27.05.19 at 12:51, <george.dunlap@citrix.com> wrote: > On 4/2/19 2:01 PM, Jan Beulich wrote: >> This is to accompany sanitize_input(). Just like for initial state we >> want to have state between two emulated insns sane, at least as far as >> assumptions in the main emulator go. Do minimal checking after segment >> register, CR, and MSR writes, and roll back to the old value in case of >> failure (raising #GP(0) at the same time). >> >> In the particular case observed, a CR0 write clearing CR0.PE was >> followed by a VEX-encoded insn, which the decoder accepts based on >> guest address size, restricting things just outside of the 64-bit case >> (real and virtual modes don't allow VEX-encoded insns). Subsequently >> _get_fpu() would then assert that CR0.PE must be set (and EFLAGS.VM >> clear) when trying to invoke YMM, ZMM, or OPMASK state. >> >> Signed-off-by: Jan Beulich <jbeulich@suse.com> > > Reviewed-by: George Dunlap <george.dunlap@citrix.com> Thanks. > That said, I wonder if there's a way to avoid the duplication between > sanitize_input() and check_state(). Another option would be to rework > sanitize_input() (perhaps as sanizite_state()): > * Accept a parameter saying whether to do optional changes (like > CANONICALIZE_MAYBE) > * Return a boolean saying whether any state was in fact sanitized. > > Then the current callers of check_state() could instead call > sanitize_state(), and throw an exception if it returns 1. (Or some > variation thereof.) I did consider this at the time, but the two functions aren't doing exactly the same validation. For example this /* EFLAGS.VM not available in long mode */ if ( long_mode_active(ctxt) ) regs->rflags &= ~X86_EFLAGS_VM; has no equivalent in check_state(), for it being an emulator bug to ever set EFLAGS.VM in long mode. I therefore thought it would be better to keep them separate despite there being partial redundancy. If the set of checks grows, we could consider factoring out the common subset into a helper function. Jan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2019-05-27 11:41 UTC|newest] Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-03-29 14:54 [PATCH] x86emul/fuzz: add a state sanitization function Jan Beulich 2019-03-29 15:10 ` George Dunlap 2019-03-29 15:25 ` Jan Beulich 2019-04-01 7:46 ` [PATCH v2] " Jan Beulich 2019-04-01 10:44 ` George Dunlap 2019-04-01 12:05 ` Jan Beulich 2019-04-02 13:01 ` [PATCH v3] x86emul/fuzz: add a state sanity checking function Jan Beulich 2019-05-27 10:51 ` George Dunlap 2019-05-27 10:51 ` [Xen-devel] " George Dunlap 2019-05-27 11:41 ` Jan Beulich [this message] 2019-05-27 11:41 ` Jan Beulich [not found] ` <5CA35D1302000000001041AA@prv1-mh.provo.novell.com> [not found] ` <5CA35D130200007800232A80@prv1-mh.provo.novell.com> 2019-05-27 9:27 ` Ping: " Jan Beulich 2019-05-27 9:27 ` [Xen-devel] " Jan Beulich
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=5CEBCCF80200007800232C34@prv1-mh.provo.novell.com \ --to=jbeulich@suse.com \ --cc=George.Dunlap@eu.citrix.com \ --cc=andrew.cooper3@citrix.com \ --cc=george.dunlap@citrix.com \ --cc=roger.pau@citrix.com \ --cc=wei.liu2@citrix.com \ --cc=xen-devel@lists.xenproject.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.