From: "Radim Krčmář" <rkrcmar@redhat.com>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: bsd@redhat.com, kvm@vger.kernel.org
Subject: Re: [bug report] KVM: nVMX: move vmclear and vmptrld pre-checks to nested_vmx_check_vmptr
Date: Thu, 18 May 2017 18:16:25 +0200 [thread overview]
Message-ID: <20170518161625.GA7438@potion> (raw)
In-Reply-To: <20170518074156.c4nbfxccrf33gtzd@mwanda>
2017-05-18 10:41+0300, Dan Carpenter:
> Hello Bandan Das,
>
> The patch 4291b58885f5: "KVM: nVMX: move vmclear and vmptrld
> pre-checks to nested_vmx_check_vmptr" from May 6, 2014, leads to the
> following static checker warning:
>
> arch/x86/kvm/vmx.c:7219 handle_vmclear()
> error: uninitialized symbol 'vmptr'.
>
> arch/x86/kvm/vmx.c
> 7206 /* Emulate the VMCLEAR instruction */
> 7207 static int handle_vmclear(struct kvm_vcpu *vcpu)
> 7208 {
> 7209 struct vcpu_vmx *vmx = to_vmx(vcpu);
> 7210 u32 zero = 0;
> 7211 gpa_t vmptr;
> 7212
> 7213 if (!nested_vmx_check_permission(vcpu))
> 7214 return 1;
> 7215
> 7216 if (nested_vmx_check_vmptr(vcpu, EXIT_REASON_VMCLEAR, &vmptr))
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> There are several success paths which don't initialize vmptr. This feels
> like a quite serious bug, but maybe handle_vmclear() is not used often
> so it doesn't show up in testing? I don't know. Or it could be that this
> code is just too complicated for my static checker and for my cursory analysis.
The success path can only happen when single-stepping the guest from
userspace (a rare scenario), which is why it didn't show up in testing.
I'll prepare a patch, thanks for all the reports.
> 7217 return 1;
> 7218
> 7219 if (vmptr == vmx->nested.current_vmptr)
> 7220 nested_release_vmcs12(vmx);
> 7221
> 7222 kvm_vcpu_write_guest(vcpu,
> 7223 vmptr + offsetof(struct vmcs12, launch_state),
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> 7224 &zero, sizeof(zero));
> 7225
> 7226 nested_free_vmcs02(vmx, vmptr);
> 7227
> 7228 nested_vmx_succeed(vcpu);
> 7229 return kvm_skip_emulated_instruction(vcpu);
> 7230 }
>
> Similar issue in:
> arch/x86/kvm/vmx.c:7551 handle_vmptrld() error: uninitialized symbol 'vmptr'.
>
> regards,
> dan carpenter
prev parent reply other threads:[~2017-05-18 16:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-18 7:41 [bug report] KVM: nVMX: move vmclear and vmptrld pre-checks to nested_vmx_check_vmptr Dan Carpenter
2017-05-18 16:16 ` Radim Krčmář [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170518161625.GA7438@potion \
--to=rkrcmar@redhat.com \
--cc=bsd@redhat.com \
--cc=dan.carpenter@oracle.com \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.