[PATCH] KVM: nVMX: Ignore segment base for VMX memory operand when segment not FS or GS

kvm.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] KVM: nVMX: Ignore segment base for VMX memory operand when segment not FS or GS
@ 2019-07-15 15:47 Liran Alon
  2019-07-15 16:22 ` Vitaly Kuznetsov
  0 siblings, 1 reply; 6+ messages in thread
From: Liran Alon @ 2019-07-15 15:47 UTC (permalink / raw)
  To: pbonzini, rkrcmar, kvm; +Cc: max, Liran Alon, Joao Martins

As reported by Maxime at
https://bugzilla.kernel.org/show_bug.cgi?id=204175:

In vmx/nested.c::get_vmx_mem_address(), when the guest runs in long mode,
the base address of the memory operand is computed with a simple:
    *ret = s.base + off;

This is incorrect, the base applies only to FS and GS, not to the others.
Because of that, if the guest uses a VMX instruction based on DS and has
a DS.base that is non-zero, KVM wrongfully adds the base to the
resulting address.

Reported-by: Maxime Villard <max@m00nbsd.net>
Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
Signed-off-by: Liran Alon <liran.alon@oracle.com>
---
 arch/x86/kvm/vmx/nested.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
index 18efb338ed8a..e01e1b6b8167 100644
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -4068,6 +4068,8 @@ int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification,
 		 * mode, e.g. a 32-bit address size can yield a 64-bit virtual
 		 * address when using FS/GS with a non-zero base.
 		 */
+		if ((seg_reg != VCPU_SREG_FS) && (seg_reg != VCPU_SREG_GS))
+			s.base = 0;
 		*ret = s.base + off;
 
 		/* Long mode: #GP(0)/#SS(0) if the memory address is in a
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] KVM: nVMX: Ignore segment base for VMX memory operand when segment not FS or GS
  2019-07-15 15:47 [PATCH] KVM: nVMX: Ignore segment base for VMX memory operand when segment not FS or GS Liran Alon
@ 2019-07-15 16:22 ` Vitaly Kuznetsov
  2019-07-15 17:21   ` Sean Christopherson
  0 siblings, 1 reply; 6+ messages in thread
From: Vitaly Kuznetsov @ 2019-07-15 16:22 UTC (permalink / raw)
  To: Liran Alon; +Cc: max, Joao Martins, pbonzini, rkrcmar, kvm

Liran Alon <liran.alon@oracle.com> writes:

> As reported by Maxime at
> https://bugzilla.kernel.org/show_bug.cgi?id=204175:
>
> In vmx/nested.c::get_vmx_mem_address(), when the guest runs in long mode,
> the base address of the memory operand is computed with a simple:
>     *ret = s.base + off;
>
> This is incorrect, the base applies only to FS and GS, not to the others.
> Because of that, if the guest uses a VMX instruction based on DS and has
> a DS.base that is non-zero, KVM wrongfully adds the base to the
> resulting address.
>
> Reported-by: Maxime Villard <max@m00nbsd.net>
> Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
> Signed-off-by: Liran Alon <liran.alon@oracle.com>
> ---
>  arch/x86/kvm/vmx/nested.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index 18efb338ed8a..e01e1b6b8167 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -4068,6 +4068,8 @@ int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification,
>  		 * mode, e.g. a 32-bit address size can yield a 64-bit virtual
>  		 * address when using FS/GS with a non-zero base.
>  		 */
> +		if ((seg_reg != VCPU_SREG_FS) && (seg_reg != VCPU_SREG_GS))
> +			s.base = 0;

(personal preference)
 
 I'd rather write this as

    /* In long mode only FS and GS bases are considered */
    if (seg_reg == VCPU_SREG_FS || seg_reg == VCPU_SREG_GS)
       *ret = s.base + off;
    else 
       *ret = off;

>  		*ret = s.base + off;
>  
>  		/* Long mode: #GP(0)/#SS(0) if the memory address is in a

As-is or rewritten with my suggestion,

Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>

-- 
Vitaly

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] KVM: nVMX: Ignore segment base for VMX memory operand when segment not FS or GS
  2019-07-15 16:22 ` Vitaly Kuznetsov
@ 2019-07-15 17:21   ` Sean Christopherson
  2019-07-15 18:28     ` Paolo Bonzini
  0 siblings, 1 reply; 6+ messages in thread
From: Sean Christopherson @ 2019-07-15 17:21 UTC (permalink / raw)
  To: Vitaly Kuznetsov; +Cc: Liran Alon, max, Joao Martins, pbonzini, rkrcmar, kvm

On Mon, Jul 15, 2019 at 06:22:52PM +0200, Vitaly Kuznetsov wrote:
> Liran Alon <liran.alon@oracle.com> writes:
> 
> > As reported by Maxime at
> > https://bugzilla.kernel.org/show_bug.cgi?id=204175:
> >
> > In vmx/nested.c::get_vmx_mem_address(), when the guest runs in long mode,
> > the base address of the memory operand is computed with a simple:
> >     *ret = s.base + off;
> >
> > This is incorrect, the base applies only to FS and GS, not to the others.
> > Because of that, if the guest uses a VMX instruction based on DS and has
> > a DS.base that is non-zero, KVM wrongfully adds the base to the
> > resulting address.
> >
> > Reported-by: Maxime Villard <max@m00nbsd.net>
> > Reviewed-by: Joao Martins <joao.m.martins@oracle.com>
> > Signed-off-by: Liran Alon <liran.alon@oracle.com>
> > ---
> >  arch/x86/kvm/vmx/nested.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> > index 18efb338ed8a..e01e1b6b8167 100644
> > --- a/arch/x86/kvm/vmx/nested.c
> > +++ b/arch/x86/kvm/vmx/nested.c
> > @@ -4068,6 +4068,8 @@ int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification,
> >  		 * mode, e.g. a 32-bit address size can yield a 64-bit virtual
> >  		 * address when using FS/GS with a non-zero base.
> >  		 */
> > +		if ((seg_reg != VCPU_SREG_FS) && (seg_reg != VCPU_SREG_GS))

I'm pretty sure the internal parantheses are unnecessary.

> > +			s.base = 0;
> 
> (personal preference)
>  
>  I'd rather write this as
> 
>     /* In long mode only FS and GS bases are considered */
>     if (seg_reg == VCPU_SREG_FS || seg_reg == VCPU_SREG_GS)
>        *ret = s.base + off;
>     else 
>        *ret = off;
> 
> >  		*ret = s.base + off;
> >  
> >  		/* Long mode: #GP(0)/#SS(0) if the memory address is in a
> 
> As-is or rewritten with my suggestion,

Likewise,

Reviewed-by: Sean Christopherson <sean.j.christopherson@intel.com>

> 
> Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
> 
> -- 
> Vitaly

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] KVM: nVMX: Ignore segment base for VMX memory operand when segment not FS or GS
  2019-07-15 17:21   ` Sean Christopherson
@ 2019-07-15 18:28     ` Paolo Bonzini
  2019-07-15 18:30       ` Liran Alon
  0 siblings, 1 reply; 6+ messages in thread
From: Paolo Bonzini @ 2019-07-15 18:28 UTC (permalink / raw)
  To: Sean Christopherson, Vitaly Kuznetsov
  Cc: Liran Alon, max, Joao Martins, rkrcmar, kvm

On 15/07/19 19:21, Sean Christopherson wrote:
>>> +		if ((seg_reg != VCPU_SREG_FS) && (seg_reg != VCPU_SREG_GS))
> I'm pretty sure the internal parantheses are unnecessary.
> 

Indeed, that's so Pascal! :)  I'll apply Vitaly's suggestion and queue it.

Paolo

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] KVM: nVMX: Ignore segment base for VMX memory operand when segment not FS or GS
  2019-07-15 18:28     ` Paolo Bonzini
@ 2019-07-15 18:30       ` Liran Alon
  2019-07-15 18:44         ` Sean Christopherson
  0 siblings, 1 reply; 6+ messages in thread
From: Liran Alon @ 2019-07-15 18:30 UTC (permalink / raw)
  To: Paolo Bonzini
  Cc: Sean Christopherson, Vitaly Kuznetsov, max, Joao Martins, rkrcmar, kvm



> On 15 Jul 2019, at 21:28, Paolo Bonzini <pbonzini@redhat.com> wrote:
> 
> On 15/07/19 19:21, Sean Christopherson wrote:
>>>> +		if ((seg_reg != VCPU_SREG_FS) && (seg_reg != VCPU_SREG_GS))
>> I'm pretty sure the internal parantheses are unnecessary.
>> 
> 
> Indeed, that's so Pascal! :)  I'll apply Vitaly's suggestion and queue it.
> 
> Paolo

I like parentheses as it makes ordering of expression a no-brainer. But that’s just a matter of taste I guess.
I don’t mind you will change it according to given suggestions. :)

-Liran

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] KVM: nVMX: Ignore segment base for VMX memory operand when segment not FS or GS
  2019-07-15 18:30       ` Liran Alon
@ 2019-07-15 18:44         ` Sean Christopherson
  0 siblings, 0 replies; 6+ messages in thread
From: Sean Christopherson @ 2019-07-15 18:44 UTC (permalink / raw)
  To: Liran Alon
  Cc: Paolo Bonzini, Vitaly Kuznetsov, max, Joao Martins, rkrcmar, kvm

On Mon, Jul 15, 2019 at 09:30:48PM +0300, Liran Alon wrote:
> I like parentheses as it makes ordering of expression a no-brainer.

Matching parantheses is not my forte :-)

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2019-07-15 18:44 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-15 15:47 [PATCH] KVM: nVMX: Ignore segment base for VMX memory operand when segment not FS or GS Liran Alon
2019-07-15 16:22 ` Vitaly Kuznetsov
2019-07-15 17:21   ` Sean Christopherson
2019-07-15 18:28     ` Paolo Bonzini
2019-07-15 18:30       ` Liran Alon
2019-07-15 18:44         ` Sean Christopherson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).