[v2,7/9] KVM: x86/xen: Drop RAX[63:32] when processing hypercall
diff mbox series

Message ID 20210422022128.3464144-8-seanjc@google.com
State New, archived
Headers show
Series
  • KVM: x86: Fixes for (benign?) truncation bugs
Related show

Commit Message

Sean Christopherson April 22, 2021, 2:21 a.m. UTC
Truncate RAX to 32 bits, i.e. consume EAX, when retrieving the hypecall
index for a Xen hypercall.  Per Xen documentation[*], the index is EAX
when the vCPU is not in 64-bit mode.

[*] http://xenbits.xenproject.org/docs/sphinx-unstable/guest-guide/x86/hypercall-abi.html

Fixes: 23200b7a30de ("KVM: x86/xen: intercept xen hypercalls if enabled")
Cc: Joao Martins <joao.m.martins@oracle.com>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
---
 arch/x86/kvm/xen.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Vitaly Kuznetsov April 22, 2021, 9:51 a.m. UTC | #1
Sean Christopherson <seanjc@google.com> writes:

> Truncate RAX to 32 bits, i.e. consume EAX, when retrieving the hypecall
> index for a Xen hypercall.  Per Xen documentation[*], the index is EAX
> when the vCPU is not in 64-bit mode.
>
> [*] http://xenbits.xenproject.org/docs/sphinx-unstable/guest-guide/x86/hypercall-abi.html
>
> Fixes: 23200b7a30de ("KVM: x86/xen: intercept xen hypercalls if enabled")
> Cc: Joao Martins <joao.m.martins@oracle.com>
> Cc: David Woodhouse <dwmw@amazon.co.uk>
> Cc: stable@vger.kernel.org
> Signed-off-by: Sean Christopherson <seanjc@google.com>
> ---
>  arch/x86/kvm/xen.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
> index ae17250e1efe..7f27bb65a572 100644
> --- a/arch/x86/kvm/xen.c
> +++ b/arch/x86/kvm/xen.c
> @@ -673,7 +673,7 @@ int kvm_xen_hypercall(struct kvm_vcpu *vcpu)
>  	bool longmode;
>  	u64 input, params[6];
>  
> -	input = (u64)kvm_register_read(vcpu, VCPU_REGS_RAX);
> +	input = (u64)kvm_register_readl(vcpu, VCPU_REGS_RAX);
>  
>  	/* Hyper-V hypercalls get bit 31 set in EAX */
>  	if ((input & 0x80000000) &&

Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>

Alternatively, as a minor optimization, you could've used '!longmode'
check below, something like:

diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
index ae17250e1efe..7df1498d3a41 100644
--- a/arch/x86/kvm/xen.c
+++ b/arch/x86/kvm/xen.c
@@ -682,6 +682,7 @@ int kvm_xen_hypercall(struct kvm_vcpu *vcpu)
 
        longmode = is_64_bit_mode(vcpu);
        if (!longmode) {
+               input = (u32)input;
                params[0] = (u32)kvm_rbx_read(vcpu);
                params[1] = (u32)kvm_rcx_read(vcpu);
                params[2] = (u32)kvm_rdx_read(vcpu);
Paolo Bonzini April 22, 2021, 10:35 a.m. UTC | #2
On 22/04/21 11:51, Vitaly Kuznetsov wrote:
> Sean Christopherson <seanjc@google.com> writes:
> 
>> Truncate RAX to 32 bits, i.e. consume EAX, when retrieving the hypecall
>> index for a Xen hypercall.  Per Xen documentation[*], the index is EAX
>> when the vCPU is not in 64-bit mode.
>>
>> [*] http://xenbits.xenproject.org/docs/sphinx-unstable/guest-guide/x86/hypercall-abi.html
>>
>> Fixes: 23200b7a30de ("KVM: x86/xen: intercept xen hypercalls if enabled")
>> Cc: Joao Martins <joao.m.martins@oracle.com>
>> Cc: David Woodhouse <dwmw@amazon.co.uk>
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Sean Christopherson <seanjc@google.com>
>> ---
>>   arch/x86/kvm/xen.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
>> index ae17250e1efe..7f27bb65a572 100644
>> --- a/arch/x86/kvm/xen.c
>> +++ b/arch/x86/kvm/xen.c
>> @@ -673,7 +673,7 @@ int kvm_xen_hypercall(struct kvm_vcpu *vcpu)
>>   	bool longmode;
>>   	u64 input, params[6];
>>   
>> -	input = (u64)kvm_register_read(vcpu, VCPU_REGS_RAX);
>> +	input = (u64)kvm_register_readl(vcpu, VCPU_REGS_RAX);
>>   
>>   	/* Hyper-V hypercalls get bit 31 set in EAX */
>>   	if ((input & 0x80000000) &&
> 
> Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
> 
> Alternatively, as a minor optimization, you could've used '!longmode'
> check below, something like:
> 
> diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
> index ae17250e1efe..7df1498d3a41 100644
> --- a/arch/x86/kvm/xen.c
> +++ b/arch/x86/kvm/xen.c
> @@ -682,6 +682,7 @@ int kvm_xen_hypercall(struct kvm_vcpu *vcpu)
>   
>          longmode = is_64_bit_mode(vcpu);
>          if (!longmode) {
> +               input = (u32)input;
>                  params[0] = (u32)kvm_rbx_read(vcpu);
>                  params[1] = (u32)kvm_rcx_read(vcpu);
>                  params[2] = (u32)kvm_rdx_read(vcpu);
> 

You haven't seen patch 9 yet. :)

Paolo
Vitaly Kuznetsov April 22, 2021, 10:49 a.m. UTC | #3
Paolo Bonzini <pbonzini@redhat.com> writes:

> On 22/04/21 11:51, Vitaly Kuznetsov wrote:
>> Sean Christopherson <seanjc@google.com> writes:
>> 
>>> Truncate RAX to 32 bits, i.e. consume EAX, when retrieving the hypecall
>>> index for a Xen hypercall.  Per Xen documentation[*], the index is EAX
>>> when the vCPU is not in 64-bit mode.
>>>
>>> [*] http://xenbits.xenproject.org/docs/sphinx-unstable/guest-guide/x86/hypercall-abi.html
>>>
>>> Fixes: 23200b7a30de ("KVM: x86/xen: intercept xen hypercalls if enabled")
>>> Cc: Joao Martins <joao.m.martins@oracle.com>
>>> Cc: David Woodhouse <dwmw@amazon.co.uk>
>>> Cc: stable@vger.kernel.org
>>> Signed-off-by: Sean Christopherson <seanjc@google.com>
>>> ---
>>>   arch/x86/kvm/xen.c | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
>>> index ae17250e1efe..7f27bb65a572 100644
>>> --- a/arch/x86/kvm/xen.c
>>> +++ b/arch/x86/kvm/xen.c
>>> @@ -673,7 +673,7 @@ int kvm_xen_hypercall(struct kvm_vcpu *vcpu)
>>>   	bool longmode;
>>>   	u64 input, params[6];
>>>   
>>> -	input = (u64)kvm_register_read(vcpu, VCPU_REGS_RAX);
>>> +	input = (u64)kvm_register_readl(vcpu, VCPU_REGS_RAX);
>>>   
>>>   	/* Hyper-V hypercalls get bit 31 set in EAX */
>>>   	if ((input & 0x80000000) &&
>> 
>> Reviewed-by: Vitaly Kuznetsov <vkuznets@redhat.com>
>> 
>> Alternatively, as a minor optimization, you could've used '!longmode'
>> check below, something like:
>> 
>> diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
>> index ae17250e1efe..7df1498d3a41 100644
>> --- a/arch/x86/kvm/xen.c
>> +++ b/arch/x86/kvm/xen.c
>> @@ -682,6 +682,7 @@ int kvm_xen_hypercall(struct kvm_vcpu *vcpu)
>>   
>>          longmode = is_64_bit_mode(vcpu);
>>          if (!longmode) {
>> +               input = (u32)input;
>>                  params[0] = (u32)kvm_rbx_read(vcpu);
>>                  params[1] = (u32)kvm_rcx_read(vcpu);
>>                  params[2] = (u32)kvm_rdx_read(vcpu);
>> 
>
> You haven't seen patch 9 yet. :)
>

True; suggestion dismissed :-)

Patch
diff mbox series

diff --git a/arch/x86/kvm/xen.c b/arch/x86/kvm/xen.c
index ae17250e1efe..7f27bb65a572 100644
--- a/arch/x86/kvm/xen.c
+++ b/arch/x86/kvm/xen.c
@@ -673,7 +673,7 @@  int kvm_xen_hypercall(struct kvm_vcpu *vcpu)
 	bool longmode;
 	u64 input, params[6];
 
-	input = (u64)kvm_register_read(vcpu, VCPU_REGS_RAX);
+	input = (u64)kvm_register_readl(vcpu, VCPU_REGS_RAX);
 
 	/* Hyper-V hypercalls get bit 31 set in EAX */
 	if ((input & 0x80000000) &&