From mboxrd@z Thu Jan  1 00:00:00 1970
From: Avi Kivity <avi@redhat.com>
Subject: Re: [PATCH] KVM: x86: Disallow hypercalls for guest callers in rings
 > 0
Date: Mon, 03 Aug 2009 17:27:33 +0300
Message-ID: <4A76F3D5.20703@redhat.com>
References: <4A76EA7B.4080509@siemens.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit
Cc: kvm-devel <kvm@vger.kernel.org>
To: Jan Kiszka <jan.kiszka@siemens.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx2.redhat.com ([66.187.237.31]:45635 "EHLO mx2.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S932099AbZHCOrA (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 3 Aug 2009 10:47:00 -0400
In-Reply-To: <4A76EA7B.4080509@siemens.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 08/03/2009 04:47 PM, Jan Kiszka wrote:
> So far unprivileged guest callers running in ring 3 can issue, e.g., MMU
> hypercalls. Normally, such callers cannot provide any hand-crafted MMU
> command structure as it has to be passed by its physical address, but
> they can still crash the guest kernel by passing random addresses.
>
> To close the hole, this patch considers hypercalls valid only if issued
> from guest ring 0. This may still be relaxed on a per-hypercall base in
> the future once required.
>
> Signed-off-by: Jan Kiszka<jan.kiszka@siemens.com>
> ---
>
>   arch/x86/kvm/x86.c       |    8 ++++++++
>   include/linux/kvm_para.h |    1 +
>   2 files changed, 9 insertions(+), 0 deletions(-)
>
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 2539e9a..966d309 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -3190,6 +3190,7 @@ static inline gpa_t hc_gpa(struct kvm_vcpu *vcpu, unsigned long a0,
>   int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
>   {
>   	unsigned long nr, a0, a1, a2, a3, ret;
> +	struct kvm_segment cs;
>   	int r = 1;
>
>   	nr = kvm_register_read(vcpu, VCPU_REGS_RAX);
> @@ -3208,6 +3209,12 @@ int kvm_emulate_hypercall(struct kvm_vcpu *vcpu)
>   		a3&= 0xFFFFFFFF;
>   	}
>
> +	kvm_get_segment(vcpu,&cs, VCPU_SREG_CS);
> +	if (cs.dpl != 0) {
> +		ret = -KVM_EPERM;
> +		goto out;
> +	}
> +
>    

I think kvm_x86_ops->get_cpl() is more accurate (and we can optimize it 
to avoid a ton of vmcs_read()s).

-- 
error compiling committee.c: too many arguments to function