From: Jim Mattson <jmattson@google.com>
To: kvm@vger.kernel.org, pbonzini@redhat.com
Cc: Jim Mattson <jmattson@google.com>
Subject: [PATCH 00/12] KVM: nVMX: Fix vmcs02 PID use-after-free issue
Date: Thu, 20 May 2021 16:03:27 -0700 [thread overview]
Message-ID: <20210520230339.267445-1-jmattson@google.com> (raw)
When the VMCS12 posted interrupt descriptor isn't backed by an L1
memslot, kvm will launch vmcs02 with a stale posted interrupt
descriptor. Before commit 6beb7bd52e48 ("kvm: nVMX: Refactor
nested_get_vmcs12_pages()"), kvm would have silently disabled the
VMCS02 "process posted interrupts" VM-execution control. Both
behaviors are wrong, though the use-after-free is more egregious.
Empirical tests on actual hardware reveal that a posted interrupt
descriptor without any backing memory/device has PCI bus error
semantics (reads return all 1's and writes are discarded). However,
kvm can't tell an unbacked address from an MMIO address. Normally, kvm
would ask userspace for an MMIO completion, but that's complicated for
a posted interrupt descriptor access. There are already a number of
cases where kvm bails out to userspace with KVM_INTERNAL_ERROR via
kvm_handle_memory_failure, so that seems like the best route to take.
It would be relatively easy to invoke kvm_handle_memory_failure at
emulated VM-entry, but that approach would break existing
kvm-unit-tests. Moreover, the issue doesn't really come up until the
vCPU--in virtualized VMX non-root operation--received the posted
interrupt notification vector indicated in its VMCS12.
Sadly, it's really hard to arrange for an exit to userspace from
vmx_complete_nested_posted_interrupt, which is where kvm actually
needs to access the unbacked PID. Initially, I added a new kvm request
for a userspace exit on the next guest entry, but Sean hated that
approach. Based on his suggestion, I added the plumbing to get back
out to userspace in the event of an error in
vmx_complete_nested_posted_interrupt. This works in the case of an
unbacked PID, but it doesn't work quite as well in the case of an
unbacked virtual APIC page (another case where kvm was happy to just
silently ignore the problem and attempt to muddle its way through.) In
that case, this series is an incremental improvement, but it's not a
complete fix.
Jim Mattson (12):
KVM: x86: Remove guest mode check from kvm_check_nested_events
KVM: x86: Wake up a vCPU when kvm_check_nested_events fails
KVM: nVMX: Add a return code to vmx_complete_nested_posted_interrupt
KVM: x86: Add a return code to inject_pending_event
KVM: x86: Add a return code to kvm_apic_accept_events
KVM: nVMX: Fail on MMIO completion for nested posted interrupts
KVM: nVMX: Disable vmcs02 posted interrupts if vmcs12 PID isn't
mappable
KVM: selftests: Move APIC definitions into a separate file
KVM: selftests: Hoist APIC functions out of individual tests
KVM: selftests: Introduce x2APIC register manipulation functions
KVM: selftests: Introduce prepare_tpr_shadow
KVM: selftests: Add a test of an unbacked nested PI descriptor
arch/x86/kvm/lapic.c | 11 +-
arch/x86/kvm/lapic.h | 2 +-
arch/x86/kvm/vmx/nested.c | 31 ++-
arch/x86/kvm/x86.c | 56 ++--
tools/testing/selftests/kvm/.gitignore | 1 +
tools/testing/selftests/kvm/Makefile | 3 +-
.../selftests/kvm/include/x86_64/apic.h | 91 +++++++
.../selftests/kvm/include/x86_64/processor.h | 49 +---
.../selftests/kvm/include/x86_64/vmx.h | 6 +
tools/testing/selftests/kvm/lib/x86_64/apic.c | 45 ++++
tools/testing/selftests/kvm/lib/x86_64/vmx.c | 8 +
.../testing/selftests/kvm/x86_64/evmcs_test.c | 11 +-
.../selftests/kvm/x86_64/set_boot_cpu_id.c | 6 +-
tools/testing/selftests/kvm/x86_64/smm_test.c | 4 +-
.../selftests/kvm/x86_64/vmx_pi_mmio_test.c | 252 ++++++++++++++++++
.../selftests/kvm/x86_64/xapic_ipi_test.c | 59 +---
16 files changed, 488 insertions(+), 147 deletions(-)
create mode 100644 tools/testing/selftests/kvm/include/x86_64/apic.h
create mode 100644 tools/testing/selftests/kvm/lib/x86_64/apic.c
create mode 100644 tools/testing/selftests/kvm/x86_64/vmx_pi_mmio_test.c
--
2.31.1.818.g46aad6cb9e-goog
next reply other threads:[~2021-05-20 23:03 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-20 23:03 Jim Mattson [this message]
2021-05-20 23:03 ` [PATCH 01/12] KVM: x86: Remove guest mode check from kvm_check_nested_events Jim Mattson
2021-05-20 23:03 ` [PATCH 02/12] KVM: x86: Wake up a vCPU when kvm_check_nested_events fails Jim Mattson
2021-05-24 15:43 ` Paolo Bonzini
2021-05-24 16:39 ` Jim Mattson
2021-05-24 16:43 ` Paolo Bonzini
2021-05-24 17:10 ` Jim Mattson
2021-05-24 23:10 ` Sean Christopherson
2021-05-24 23:23 ` Jim Mattson
2021-05-24 23:24 ` Sean Christopherson
2021-05-24 23:29 ` Jim Mattson
2021-05-24 23:34 ` Sean Christopherson
2021-05-20 23:03 ` [PATCH 03/12] KVM: nVMX: Add a return code to vmx_complete_nested_posted_interrupt Jim Mattson
2021-05-20 23:03 ` [PATCH 04/12] KVM: x86: Add a return code to inject_pending_event Jim Mattson
2021-05-20 23:03 ` [PATCH 05/12] KVM: x86: Add a return code to kvm_apic_accept_events Jim Mattson
2021-05-25 19:24 ` Reiji Watanabe
2021-05-25 20:35 ` Jim Mattson
2021-05-20 23:03 ` [PATCH 06/12] KVM: nVMX: Fail on MMIO completion for nested posted interrupts Jim Mattson
2021-05-20 23:03 ` [PATCH 07/12] KVM: nVMX: Disable vmcs02 posted interrupts if vmcs12 PID isn't mappable Jim Mattson
2021-05-24 23:21 ` Sean Christopherson
2021-05-24 23:27 ` Jim Mattson
2021-05-24 23:45 ` Sean Christopherson
2021-05-25 0:03 ` Jim Mattson
2021-05-25 0:11 ` Sean Christopherson
2021-05-25 0:15 ` Jim Mattson
2021-05-25 0:57 ` Sean Christopherson
2021-05-20 23:03 ` [PATCH 08/12] KVM: selftests: Move APIC definitions into a separate file Jim Mattson
2021-05-20 23:03 ` [PATCH 09/12] KVM: selftests: Hoist APIC functions out of individual tests Jim Mattson
2021-05-20 23:03 ` [PATCH 10/12] KVM: selftests: Introduce x2APIC register manipulation functions Jim Mattson
2021-05-20 23:03 ` [PATCH 11/12] KVM: selftests: Introduce prepare_tpr_shadow Jim Mattson
2021-05-20 23:03 ` [PATCH 12/12] KVM: selftests: Add a test of an unbacked nested PI descriptor Jim Mattson
2021-05-21 0:58 ` [PATCH 00/12] KVM: nVMX: Fix vmcs02 PID use-after-free issue Sean Christopherson
2021-05-21 12:04 ` Jim Mattson
2021-05-24 15:50 ` Paolo Bonzini
2021-05-24 16:46 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210520230339.267445-1-jmattson@google.com \
--to=jmattson@google.com \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.