From: Maxim Levitsky <mlevitsk@redhat.com>
To: Denis Valeev <lemniscattaden@gmail.com>,
Paolo Bonzini <pbonzini@redhat.com>
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH] KVM: x86: nSVM: skip eax alignment check for non-SVM instructions
Date: Sat, 22 Jan 2022 23:21:47 +0200 [thread overview]
Message-ID: <5c84ef95b457091964c3fd0ceac4bb99900018b3.camel@redhat.com> (raw)
In-Reply-To: <Yexlhaoe1Fscm59u@q>
On Sat, 2022-01-22 at 23:13 +0300, Denis Valeev wrote:
> The bug occurs on #GP triggered by VMware backdoor when eax value is
> unaligned. eax alignment check should not be applied to non-SVM
> instructions because it leads to incorrect omission of the instructions
> emulation.
> Apply the alignment check only to SVM instructions to fix.
>
> Fixes: d1cba6c92237 ("KVM: x86: nSVM: test eax for 4K alignment for GP errata workaround")
>
> Signed-off-by: Denis Valeev <lemniscattaden@gmail.com>
> ---
> This bug breaks nyx-fuzz (https://nyx-fuzz.com) that uses VMware backdoor
> as an alternative way for hypercall from guest user-mode. With this bug
> a hypercall interpreted as a GP and leads to process termination.
>
> arch/x86/kvm/svm/svm.c | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/arch/x86/kvm/svm/svm.c b/arch/x86/kvm/svm/svm.c
> index e64f16237b60..b5e4731080ef 100644
> --- a/arch/x86/kvm/svm/svm.c
> +++ b/arch/x86/kvm/svm/svm.c
> @@ -2233,10 +2233,6 @@ static int gp_interception(struct kvm_vcpu *vcpu)
> if (error_code)
> goto reinject;
>
> - /* All SVM instructions expect page aligned RAX */
> - if (svm->vmcb->save.rax & ~PAGE_MASK)
> - goto reinject;
> -
> /* Decode the instruction for usage later */
> if (x86_decode_emulated_instruction(vcpu, 0, NULL, 0) != EMULATION_OK)
> goto reinject;
> @@ -2254,8 +2250,13 @@ static int gp_interception(struct kvm_vcpu *vcpu)
> if (!is_guest_mode(vcpu))
> return kvm_emulate_instruction(vcpu,
> EMULTYPE_VMWARE_GP | EMULTYPE_NO_DECODE);
> - } else
> + } else {
> + /* All SVM instructions expect page aligned RAX */
> + if (svm->vmcb->save.rax & ~PAGE_MASK)
> + goto reinject;
> +
> return emulate_svm_instr(vcpu, opcode);
> + }
>
> reinject:
> kvm_queue_exception_e(vcpu, GP_VECTOR, error_code);
Oops.
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Thanks,
Best regards,
Maxim Levitsky
prev parent reply other threads:[~2022-01-22 21:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-22 20:13 [PATCH] KVM: x86: nSVM: skip eax alignment check for non-SVM instructions Denis Valeev
2022-01-22 21:21 ` Maxim Levitsky [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5c84ef95b457091964c3fd0ceac4bb99900018b3.camel@redhat.com \
--to=mlevitsk@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=lemniscattaden@gmail.com \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.