Re: 答复: KVM vulnerability report about cpuid instruction

From: Wanpeng Li <kernellwp@gmail.com>
To: "Moguofang (Dennis mo)" <moguofang@huawei.com>
Cc: "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
	"Zhouyu (Axis Zhou, ICSL)" <axis.zhou@huawei.com>
Subject: Re: 答复: KVM vulnerability report about cpuid instruction
Date: Wed, 7 Jun 2017 17:54:14 +0800	[thread overview]
Message-ID: <CANRm+Cxd0iGFSCP_FTp1=P91j8j6wQTY6MYHPhdU=OUU46bgJQ@mail.gmail.com> (raw)
In-Reply-To: <CC01CF939DBB24468C9944BB5AB21407E569F87B@DGGEMM527-MBX.china.huawei.com>

2017-06-07 17:14 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
> the patch fixed the oob vulnerability when i = 79, but maybe the patch introduces an infinite loop, if i = 79, then j = 0, the do-while loop use cpuid_entries[0-78] to compare cpuid_entries[79], maybe fall into infinite loop.

It will not happen, if i == j, then ej->function == e->function and
for loop exit.

Anyway, another method is:

- for (j = i + 1; ; j = (j + 1) % nent) {
+ for (j = (i + 1) % nent; ; j = (j + 1) % nent) {

Regards,
Wanpeng Li

>
> Kind regards
> moguofang
>
> -----邮件原件-----
> 发件人: Wanpeng Li [mailto:kernellwp@gmail.com]
> 发送时间: 2017年6月7日 16:32
> 收件人: Moguofang (Dennis mo)
> 抄送: kvm@vger.kernel.org; Zhouyu (Axis Zhou, ICSL)
> 主题: Re: KVM vulnerability report about cpuid instruction
>
> 2017-06-07 15:09 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
>> Hello!
>>         A new vulnerability discover by me.
>
> Could you test something like this?
>
> --------------------------->8-------------------------------------------
> --------------------------->------------------
>
> Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
>
> diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c index a181ae7..b927a42 100644
> --- a/arch/x86/kvm/cpuid.c
> +++ b/arch/x86/kvm/cpuid.c
> @@ -779,19 +779,20 @@ int kvm_dev_ioctl_get_cpuid(struct kvm_cpuid2 *cpuid,
>
>  static int move_to_next_stateful_cpuid_entry(struct kvm_vcpu *vcpu, int i)  {
> +    int j = i, nent = vcpu->arch.cpuid_nent;
>      struct kvm_cpuid_entry2 *e = &vcpu->arch.cpuid_entries[i];
> -    int j, nent = vcpu->arch.cpuid_nent;
> +    struct kvm_cpuid_entry2 *ej;
>
>      e->flags &= ~KVM_CPUID_FLAG_STATE_READ_NEXT;
>      /* when no next entry is found, the current entry[i] is reselected */
> -    for (j = i + 1; ; j = (j + 1) % nent) {
> -        struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j];
> -        if (ej->function == e->function) {
> -            ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT;
> -            return j;
> -        }
> -    }
> -    return 0; /* silence gcc, even though control never reaches here */
> +    do {
> +        j = (j + 1) % nent;
> +        ej = &vcpu->arch.cpuid_entries[j];
> +    } while(ej->function != e->function);
> +
> +    ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT;
> +
> +    return j;
>  }
>
>  /* find an entry with matching function, matching index (if needed), and that