Re: [Xen-devel] [PATCH v7] x86/emulate: Send vm_event from emulate

[Alexandru Stefan ISAILA <aisaila@bitdefender.com>]

On 19.07.2019 16:18, Jan Beulich wrote:
> On 19.07.2019 14:34, Alexandru Stefan ISAILA wrote:
>> On 18.07.2019 15:58, Jan Beulich wrote:
>>> On 03.07.2019 12:56, Alexandru Stefan ISAILA wrote:

>>>> Currently, we are fully emulating the instruction at RIP when the hardware sees
>>>> an EPT fault with npfec.kind != npfec_kind_with_gla. This is, however,
>>>> incorrect, because the instruction at RIP might legitimately cause an
>>>> EPT fault of its own while accessing a _different_ page from the original one,
>>>> where A/D were set.
>>>> The solution is to perform the whole emulation,
>>>
>>> Above you said fully emulating such an insn is incorrect. To me the
>>> two statements contradict one another.
>>>
>>>> while ignoring EPT restrictions
>>>> for the walk part, and taking them into account for the "actual" emulating of
>>>> the instruction at RIP.
>>>
>>> So the "ignore" part here is because the walk doesn't currently send
>>> any events? That's an omission after all, which ultimately wants to
>>> get fixed. This in turn makes me wonder whether there couldn't be
>>> cases where a monitor actually wants to see these violations, too.
>>> After all one may be able to abuse to page walker to set bits in
>>> places you actually care to protect from undue modification.
>>
>> There is no need for events from page walk. Further work will have to be
>> done, when page-walk will send events, so that we can toggle that new
>> feature on/off.
> 
> Please can you move over to thinking in more general terms,
> not just what you need for your application. In this case
> "There is no need" != "We don't have a need for". And I think
> the VM event _interface_ should be arranged in a way that it
> already accounts for eventually correct behavior of the page
> walk paths.
> 

I'm not sure how future code for sending events form page-walk will be 
but I will try to make this patch have some checks in place so that it 
will work the same.

>>>> After the emulation stops we'll call hvm_vm_event_do_resume() again after the
>>>> introspection agent treats the event and resumes the guest. There, the
>>>> instruction at RIP will be fully emulated (with the EPT ignored) if the
>>>> introspection application allows it, and the guest will continue to run past
>>>> the instruction.
>>>>
>>>> We use hvmemul_map_linear_addr() to intercept r/w access and
>>>> __hvm_copy() to intercept exec access.
>>>
>>> Btw I continue to be unhappy about this asymmetry. Furthermore in
>>> the former case you only handle write and rmw accesses, but not
>>> reads afaics. I assume you don't care about reads, but this should
>>> then be made explicit. Furthermore EPT allows read protection, and
>>> there are p2m_access_w, p2m_access_wx, and p2m_access_x, so I guess
>>> ignoring reads can at best be an option picked by the monitor, not
>>> something to be left out of the interface altogether.
>>
>> That is correct, we are not interested in read events but there is
>> another problem, we are checking access and pfec to fill the event flag
>> and pfec only has a write flag(PFEC_write_access), in __hvmemul_read()
>> pfec only gets PFEC_page_present and there is no way to differentiate
>> write from read.
> 
> By the PFEC model, anything that's not a write or insn fetch is a
> read. The main anomaly is elsewhere: The write flag is also going
> to be set for RMW operations.
> 
>>>> hvm_emulate_send_vm_event() can return false if there was no violation,
>>>> if there was an error from monitor_traps() or p2m_get_mem_access().
>>>
>>> As said before - I don't think errors and lack of a violation can
>>> sensibly be treated the same way. Is the implication perhaps that
>>> emulation then will fail later anyway? If so, is such an
>>> assumption taking into consideration possible races?
>>
>> The only place that I can see a problem is the error from
>> monitor_traps(). That can be checked and accompanied by a warning msg.
> 
> How would a warning message help?
> 
>> Or if you can give me a different idea to go forward with this issue I
>> will be glad to review it.
> 
> I'm afraid you'll have to first of all give me an idea what the
> correct action is in case of such an error. And once you've done
> so, I'm pretty sure you'll recognize yourself whether the current
> code you have is appropriate (and I'll then know whether I want
> to insist on you changing the code).
> 

So I think that the return of hvm_emulate_send_vm_event() should not use 
the return of monitor_traps(). By the time monitor_traps() is called we 
are sure that there is a violation and emulation should stop regardless 
if the event was sent or not. In this idea the last return should be true.

>>>> --- a/xen/arch/x86/hvm/hvm.c
>>>> +++ b/xen/arch/x86/hvm/hvm.c
>>>> @@ -3224,6 +3224,14 @@ static enum hvm_translation_result __hvm_copy(
>>>>                  return HVMTRANS_bad_gfn_to_mfn;
>>>>              }
>>>>      
>>>> +        if ( unlikely(v->arch.vm_event) &&
>>>> +            v->arch.vm_event->send_event &&
>>>> +            hvm_emulate_send_vm_event(addr, gfn, pfec) )
>>>
>>> Indentation looks wrong again.
>>>
>>>> +        {
>>>> +            put_page(page);
>>>> +            return HVMTRANS_gfn_paged_out;
>>>
>>> Why "paged out"? If this is an intentional abuse, then you want
>>> to say so in a comment and justify the abuse here or in the
>>> description.

Yes this is intentional so linear_read() will return X86EMUL_RETRY.

Thanks for the review,
Alex
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel