From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Eugene Korenevsky <ekorenevsky@gmail.com>,
kvm@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH v3 1/2] kvm: vmx: fix limit checking in get_vmx_mem_address()
Date: Wed, 5 Jun 2019 13:30:01 -0700 [thread overview]
Message-ID: <20190605203001.GF26328@linux.intel.com> (raw)
In-Reply-To: <20190605195729.GA25699@dnote>
On Wed, Jun 05, 2019 at 10:57:29PM +0300, Eugene Korenevsky wrote:
> Intel SDM vol. 3, 5.3:
> The processor causes a
> general-protection exception (or, if the segment is SS, a stack-fault
> exception) any time an attempt is made to access the following addresses
> in a segment:
> - A byte at an offset greater than the effective limit
> - A word at an offset greater than the (effective-limit – 1)
> - A doubleword at an offset greater than the (effective-limit – 3)
> - A quadword at an offset greater than the (effective-limit – 7)
>
> Therefore, the generic limit checking error condition must be
>
> exn = (off > limit + 1 - access_len) = (off + access_len - 1 > limit)
>
> but not
>
> exn = (off + access_len > limit)
>
> as for now.
>
> Note: access length is incorrectly set to sizeof(u64). This will be fixed in
> the subsequent patch.
>
> Signed-off-by: Eugene Korenevsky <ekorenevsky@gmail.com>
> ---
> Changes in v3 since v2: fixed limit checking condition to avoid underflow;
> added note
>
> arch/x86/kvm/vmx/nested.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index f1a69117ac0f..93df72597c72 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -4115,7 +4115,7 @@ int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification,
> */
> if (!(s.base == 0 && s.limit == 0xffffffff &&
> ((s.type & 8) || !(s.type & 4))))
> - exn = exn || (off + sizeof(u64) > s.limit);
> + exn = exn || (off + sizeof(u64) - 1 > s.limit);
This still has a wrap bug in 32-bit KVM, e.g. off == 0xffffffff will
incorrectly pass the limit check due to wrapping its unsigned long.
> }
> if (exn) {
> kvm_queue_exception_e(vcpu,
> --
> 2.21.0
>
prev parent reply other threads:[~2019-06-05 20:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-05 19:57 [PATCH v3 1/2] kvm: vmx: fix limit checking in get_vmx_mem_address() Eugene Korenevsky
2019-06-05 20:30 ` Sean Christopherson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190605203001.GF26328@linux.intel.com \
--to=sean.j.christopherson@intel.com \
--cc=ekorenevsky@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.