From: Paolo Bonzini <pbonzini@redhat.com>
To: Ben Hutchings <ben@decadent.org.uk>,
linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, Jan Beulich <jbeulich@suse.com>
Subject: Re: [PATCH 3.2 41/52] KVM: svm: unconditionally intercept #DB
Date: Wed, 25 Nov 2015 19:06:42 +0100 [thread overview]
Message-ID: <5655F8B2.4080008@redhat.com> (raw)
In-Reply-To: <1448474193.27159.19.camel@decadent.org.uk>
On 25/11/2015 18:56, Ben Hutchings wrote:
> On Wed, 2015-11-25 at 12:31 +0100, Paolo Bonzini wrote:
>>
>> On 24/11/2015 23:33, Ben Hutchings wrote:
>>> 3.2.74-rc1 review patch. If anyone has any objections, please let me know.
>>>
>>> ------------------
>>>
>>> From: Paolo Bonzini <pbonzini@redhat.com>
>>>
>>> commit cbdb967af3d54993f5814f1cee0ed311a055377d upstream.
>>>
>>> This is needed to avoid the possibility that the guest triggers
>>> an infinite stream of #DB exceptions (CVE-2015-8104).
>>>
>>> VMX is not affected: because it does not save DR6 in the VMCS,
>>> it already intercepts #DB unconditionally.
>>>
>>> Reported-by: Jan Beulich <jbeulich@suse.com>
>>> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
>>> [bwh: Backported to 3.2: #DB and #BP did not share a function, and there is
>>> no operation pointer referring to it, so remove update_db_intercept()
>>> entirely]
>>
>> This is wrong, you still need to check the BP intercept in the
>> (incorrectly named as of 3.2) update_db_intercept function.
>>
>> Something like:
>>
>> -static void update_db_intercept(struct kvm_vcpu *vcpu)
>> +static void update_bp_intercept(struct kvm_vcpu *vcpu)
>> {
>> > > struct vcpu_svm *svm = to_svm(vcpu);
>>
>> -> > clr_exception_intercept(svm, DB_VECTOR);
>> > > clr_exception_intercept(svm, BP_VECTOR);
>> -
>> -> > if (svm->nmi_singlestep)
>> -> > > set_exception_intercept(svm, DB_VECTOR);
>> -
>> > > if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
>> -> > > if (vcpu->guest_debug &
>> -> > > (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
>> -> > > > set_exception_intercept(svm, DB_VECTOR);
>> > > > if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
>> > > > > set_exception_intercept(svm, BP_VECTOR);
>> > > } else
>> > > vcpu->guest_debug = 0;
>> }
>>
>>
>> Then the calls in db_interception and enable_nmi_window can be removed,
>> but the one in svm_guest_debug is important.
>
> Sorry about that. I now have with this version:
>
> From: Paolo Bonzini <pbonzini@redhat.com>
> Date: Tue, 10 Nov 2015 09:14:39 +0100
> Subject: KVM: svm: unconditionally intercept #DB
>
> commit cbdb967af3d54993f5814f1cee0ed311a055377d upstream.
>
> This is needed to avoid the possibility that the guest triggers
> an infinite stream of #DB exceptions (CVE-2015-8104).
>
> VMX is not affected: because it does not save DR6 in the VMCS,
> it already intercepts #DB unconditionally.
>
> Reported-by: Jan Beulich <jbeulich@suse.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> [bwh: Backported to 3.2, with thanks to Paolo:
> - update_db_bp_intercept() was called update_db_intercept()
> - The remaining call is in svm_guest_debug() rather than through svm_x86_ops]
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> ---
> arch/x86/kvm/svm.c | 14 +++-----------
> 1 file changed, 3 insertions(+), 11 deletions(-)
>
> --- a/arch/x86/kvm/svm.c
> +++ b/arch/x86/kvm/svm.c
> @@ -1015,6 +1015,7 @@ static void init_vmcb(struct vcpu_svm *s
> set_exception_intercept(svm, UD_VECTOR);
> set_exception_intercept(svm, MC_VECTOR);
> set_exception_intercept(svm, AC_VECTOR);
> + set_exception_intercept(svm, DB_VECTOR);
>
> set_intercept(svm, INTERCEPT_INTR);
> set_intercept(svm, INTERCEPT_NMI);
> @@ -1550,20 +1551,13 @@ static void svm_set_segment(struct kvm_v
> mark_dirty(svm->vmcb, VMCB_SEG);
> }
>
> -static void update_db_intercept(struct kvm_vcpu *vcpu)
> +static void update_bp_intercept(struct kvm_vcpu *vcpu)
> {
> struct vcpu_svm *svm = to_svm(vcpu);
>
> - clr_exception_intercept(svm, DB_VECTOR);
> clr_exception_intercept(svm, BP_VECTOR);
>
> - if (svm->nmi_singlestep)
> - set_exception_intercept(svm, DB_VECTOR);
> -
> if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
> - if (vcpu->guest_debug &
> - (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
> - set_exception_intercept(svm, DB_VECTOR);
> if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
> set_exception_intercept(svm, BP_VECTOR);
> } else
> @@ -1581,7 +1575,7 @@ static void svm_guest_debug(struct kvm_v
>
> mark_dirty(svm->vmcb, VMCB_DR);
>
> - update_db_intercept(vcpu);
> + update_bp_intercept(vcpu);
> }
>
> static void new_asid(struct vcpu_svm *svm, struct svm_cpu_data *sd)
> @@ -1655,7 +1649,6 @@ static int db_interception(struct vcpu_s
> if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
> svm->vmcb->save.rflags &=
> ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
> - update_db_intercept(&svm->vcpu);
> }
>
> if (svm->vcpu.guest_debug &
> @@ -3557,7 +3550,6 @@ static void enable_nmi_window(struct kvm
> */
> svm->nmi_singlestep = true;
> svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
> - update_db_intercept(vcpu);
> }
>
> static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
>
Thanks, this looks good.
Paolo
next prev parent reply other threads:[~2015-11-25 18:06 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-24 22:33 [PATCH 3.2 00/52] 3.2.74-rc1 review Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 32/52] scsi: restart list search after unlock in scsi_remove_target Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 07/52] mtd: mtdpart: fix add_mtd_partitions error path Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 01/52] PCI: Fix devfn for VPD access through function 0 Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 17/52] Bluetooth: ath3k: Add new AR3012 0930:021c id Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 33/52] x86/cpu: Call verify_cpu() after having entered long mode too Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 26/52] crypto: algif_hash - Only export and import on sockets with data Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 35/52] Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 49/52] RDS-TCP: Recover correctly from pskb_pull()/pksb_trim() failure in rds_tcp_data_recv Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 08/52] devres: fix a for loop bounds check Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 36/52] perf: Fix inherited events vs. tracepoint filters Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 27/52] megaraid_sas : SMAP restriction--do not access user memory from IOCTL code Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 44/52] FS-Cache: Handle a write to the page immediately beyond the EOF marker Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 29/52] ipv6: fix tunnel error handling Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 31/52] firewire: ohci: fix JMicron JMB38x IT context discovery Ben Hutchings
2015-11-24 23:48 ` Stefan Richter
2015-11-24 22:33 ` [PATCH 3.2 11/52] Btrfs: fix file corruption and data loss after cloning inline extents Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 28/52] recordmcount: Fix endianness handling bug for nop_mcount Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 09/52] packet: fix match_fanout_group() Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 48/52] irda: precedence bug in irlmp_seq_hb_idx() Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 50/52] ipmr: fix possible race resulting from improper usage of IP_INC_STATS_BH() in preemptible context Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 20/52] ACPI: Use correct IRQ when uninstalling ACPI interrupt handler Ben Hutchings
2015-11-25 2:37 ` Chen, Yu C
2015-11-25 2:37 ` Chen, Yu C
2015-11-24 22:33 ` [PATCH 3.2 34/52] Btrfs: fix race leading to incorrect item deletion when dropping extents Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 30/52] ALSA: hda - Apply pin fixup for HP ProBook 6550b Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 18/52] Bluetooth: ath3k: Add support of AR3012 0cf3:817b device Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 46/52] fs: make dumpable=2 require fully qualified path Ben Hutchings
2015-11-25 2:06 ` James Morris
2015-11-25 17:57 ` Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 03/52] mac80211: fix driver RSSI event calculations Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 37/52] scsi_sysfs: Fix queue_ramp_up_period return code Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 15/52] Btrfs: fix truncation of compressed and inlined extents Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 19/52] staging: rtl8712: Add device ID for Sitecom WLA2100 Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 04/52] HID: core: Avoid uninitialized buffer access Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 13/52] ARM: pxa: remove incorrect __init annotation on pxa27x_set_pwrmode Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 10/52] Btrfs: added helper btrfs_next_item() Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 42/52] FS-Cache: Increase reference of parent after registering, netfs success Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 51/52] net: avoid NULL deref in inet_ctl_sock_destroy() Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 22/52] ALSA: hda - Disable 64bit address for Creative HDA controllers Ben Hutchings
2015-11-25 23:05 ` Luis Henriques
2015-11-25 23:05 ` Luis Henriques
2015-11-26 0:34 ` Ben Hutchings
2015-11-26 10:30 ` Luis Henriques
2015-11-26 10:30 ` Luis Henriques
2015-11-24 22:33 ` [PATCH 3.2 47/52] fs: if a coredump already exists, unlink and recreate with O_EXCL Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 02/52] PCI: Use function 0 VPD for identical functions, regular VPD for others Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 40/52] net: fix a race in dst_release() Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 14/52] Btrfs: don't use ram_bytes for uncompressed inline items Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 24/52] can: Use correct type in sizeof() in nla_put() Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 38/52] Btrfs: fix race when listing an inode's xattrs Ben Hutchings
2015-11-25 23:11 ` Luis Henriques
2015-11-25 23:11 ` Luis Henriques
2015-11-26 0:39 ` Ben Hutchings
2015-11-26 9:39 ` Filipe Manana
2015-11-24 22:33 ` [PATCH 3.2 45/52] binfmt_elf: Don't clobber passed executable's file header Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 21/52] MIPS: atomic: Fix comment describing atomic64_add_unless's return value Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 06/52] mwifiex: fix mwifiex_rdeeprom_read() Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 05/52] wm831x_power: Use IRQF_ONESHOT to request threaded IRQs Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 43/52] FS-Cache: Don't override netfs's primary_index if registering failed Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 16/52] ext4, jbd2: ensure entering into panic after recording an error in superblock Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 12/52] iommu/vt-d: Fix ATSR handling for Root-Complex integrated endpoints Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 25/52] mtd: blkdevs: fix potential deadlock + lockdep warnings Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 39/52] scsi: Fix a bdi reregistration race Ben Hutchings
2015-11-24 22:39 ` Bart Van Assche
2015-11-25 18:00 ` Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 52/52] splice: sendfile() at once fails for big files Ben Hutchings
2015-11-24 22:33 ` [PATCH 3.2 41/52] KVM: svm: unconditionally intercept #DB Ben Hutchings
2015-11-25 11:31 ` Paolo Bonzini
2015-11-25 17:56 ` Ben Hutchings
2015-11-25 18:06 ` Paolo Bonzini [this message]
2015-11-24 22:33 ` [PATCH 3.2 23/52] megaraid_sas: Do not use PAGE_SIZE for max_sectors Ben Hutchings
2015-11-25 2:22 ` [PATCH 3.2 00/52] 3.2.74-rc1 review Guenter Roeck
2015-11-25 17:57 ` Ben Hutchings
2015-11-25 17:43 ` Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5655F8B2.4080008@redhat.com \
--to=pbonzini@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=ben@decadent.org.uk \
--cc=jbeulich@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.