From: Lai Jiangshan <jiangshanlai@gmail.com>
To: linux-kernel@vger.kernel.org, kvm@vger.kernel.org,
Paolo Bonzini <pbonzini@redhat.com>,
Sean Christopherson <seanjc@google.com>
Cc: Lai Jiangshan <jiangshan.ljs@antgroup.com>
Subject: [PATCH 0/2] KVM: X86/MMU: Fix problem for shadowing 5-level NPT for 4-level NPT L1 guest
Date: Wed, 20 Apr 2022 21:12:02 +0800 [thread overview]
Message-ID: <20220420131204.2850-1-jiangshanlai@gmail.com> (raw)
From: Lai Jiangshan <jiangshan.ljs@antgroup.com>
When shadowing 5-level NPT for 4-level NPT L1 guest, the root_sp is
allocated with role.level = 5 and the guest pagetable's root gfn.
And root_sp->spt[0] is also allocated with the same gfn and the same
role except role.level = 4. Luckily that they are different shadow
pages, but only root_sp->spt[0] is the real translation of the guest
pagetable.
Here comes a problem:
If the guest switches from gCR4_LA57=0 to gCR4_LA57=1 (or vice verse)
and uses the same gfn as the root page for nested NPT before and after
switching gCR4_LA57. The host (hCR4_LA57=1) might use the same root_sp
for the guest even the guest switches gCR4_LA57. The guest will see
unexpected page mapped and L2 may exploit the bug and hurt L1. It is
lucky that the problem can't hurt L0.
Fix it by introducing role.passthrough.
Lai Jiangshan (2):
KVM: X86/MMU: Add sp_has_gptes()
KVM: X86/MMU: Introduce role.passthrough for shadowing 5-level NPT for
4-level NPT L1 guest
Documentation/virt/kvm/mmu.rst | 3 +++
arch/x86/include/asm/kvm_host.h | 5 +++--
arch/x86/kvm/mmu/mmu.c | 38 +++++++++++++++++++++++++++------
arch/x86/kvm/mmu/paging_tmpl.h | 1 +
4 files changed, 38 insertions(+), 9 deletions(-)
--
2.19.1.6.gb485710b
next reply other threads:[~2022-04-20 13:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-20 13:12 Lai Jiangshan [this message]
2022-04-20 13:12 ` [PATCH 1/2] KVM: X86/MMU: Add sp_has_gptes() Lai Jiangshan
2022-04-20 20:48 ` Paolo Bonzini
2022-04-20 13:12 ` [PATCH 2/2] KVM: X86/MMU: Introduce role.passthrough for shadowing 5-level NPT for 4-level NPT L1 guest Lai Jiangshan
2022-04-20 17:15 ` Paolo Bonzini
2022-04-21 0:23 ` Lai Jiangshan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220420131204.2850-1-jiangshanlai@gmail.com \
--to=jiangshanlai@gmail.com \
--cc=jiangshan.ljs@antgroup.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).