Re: [PATCH 3/7] KVM: x86: Add emulation_type to not raise #UD on CPL=3 emulation failure

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Liran Alon <LIRAN.ALON@ORACLE.COM>
To: Paolo Bonzini <pbonzini@redhat.com>,
	rkrcmar@redhat.com, kvm@vger.kernel.org
Cc: idan.brown@ORACLE.COM, Krish Sadhukhan <krish.sadhukhan@ORACLE.COM>
Subject: Re: [PATCH 3/7] KVM: x86: Add emulation_type to not raise #UD on CPL=3 emulation failure
Date: Fri, 22 Dec 2017 17:53:56 +0200	[thread overview]
Message-ID: <5A3D2A94.9030008@ORACLE.COM> (raw)
In-Reply-To: <957e04bd-fde3-c878-7d3e-3439e425c1e3@redhat.com>



On 22/12/17 17:16, Paolo Bonzini wrote:
> On 22/12/2017 02:11, Liran Alon wrote:
>> Consider the case where the CPU raises a #GP on some instruction
>> which is now intercepted by KVM. The #GP intercept will call
>> x86_emulate_instruction(). If the x86 emulator disassembly engine is
>> incomplete and therefore doesn't know how to parse the instruction
>> which caused the #GP, x86_decode_insn() will fail which will also
>> reach handle_emulation_failure(). If there is no
>> EMULTYPE_NO_UD_ON_FAIL flag, this will cause a #UD exception to be
>> queued which is not what we want.
>
> Yup, however EMULTYPE_VMWARE has filtered the opcodes, hasn't it?  So in
> this case you shouldn't fail the decoding.

In my current implementation EMULTYPE_VMWARE is considered only after 
the disassembly engine (x86_decode_insn()) has succeeded. It is true I 
could have filtered the opcodes before invoking the disassembly engine 
but that will make code a bit more complex. In addition, I didn't saw a 
lot of value in reducing the attack surface from the disassembly engine 
itself. Only from the emulation.

Therefore, I decided to make the EMULTYPE_NO_UD_ON_FAIL flag which may 
be also useful in the future for other use cases.

Regards,
-Liran

>
>> Therefore we can summarize these flags usage as follows: 1.
>> EMULTYPE_NO_UD_ON_FAIL is used to tell emulator "if you fail to
>> disassemble the instruction, I just want you to return failure. Do
>> not queue a #UD and let me decide what should be the proper
>> response".
>>
>> 2. EMULTYPE_VMWARE is indeed used to avoid making all
>> instructions that could raise #GP to reach instruction-emulation as
>> the x86 emulator is incomplete anyway and it just, as you say,
>> increase attack surface.
>>
>> Having said that, I agree the commit messages of the 2 commits
>> introducing these flags may not be indicative enough. If we agree on
>> the written above, I can fix them in v2 of this series.
>
> Yeah, that's good.  In particular it's important to note that
> EMULTYPE_VMWARE is not for correctness, only for hardening.
>
> Thanks,
>
> Paolo
>

next prev parent reply	other threads:[~2017-12-22 15:54 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-18  9:45 [PATCH 0/7] KVM: x86: Add support for VMware backdoor I/O ports & Pseduo-PMCs Liran Alon
2017-12-18  9:45 ` [PATCH 1/7] KVM: x86: Add module parameter for supporting VMware backdoor Liran Alon
2017-12-18  9:45 ` [PATCH 2/7] KVM: x86: Always allow access to VMware backdoor I/O ports Liran Alon
2017-12-18  9:45 ` [PATCH 3/7] KVM: x86: Add emulation_type to not raise #UD on CPL=3 emulation failure Liran Alon
2017-12-21 15:11   ` Paolo Bonzini
2017-12-22  1:11     ` Liran Alon
2017-12-22 15:16       ` Paolo Bonzini
2017-12-22 15:53         ` Liran Alon [this message]
2017-12-22 15:59           ` Paolo Bonzini
2017-12-18  9:45 ` [PATCH 4/7] KVM: x86: Emulate only IN/OUT instructions when accessing VMware backdoor Liran Alon
2017-12-18  9:45 ` [PATCH 5/7] KVM: x86: VMX: Intercept #GP to support access to VMware backdoor ports Liran Alon
2017-12-18  9:45 ` [PATCH 6/7] KVM: x86: SVM: " Liran Alon
2017-12-18  9:45 ` [PATCH 7/7] KVM: x86: Add support for VMware backdoor Pseudo-PMCs Liran Alon
2017-12-21 15:15 ` [PATCH 0/7] KVM: x86: Add support for VMware backdoor I/O ports & Pseduo-PMCs Paolo Bonzini
2017-12-22  1:22   ` Liran Alon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5A3D2A94.9030008@ORACLE.COM \
    --to=liran.alon@oracle.com \
    --cc=idan.brown@ORACLE.COM \
    --cc=krish.sadhukhan@ORACLE.COM \
    --cc=kvm@vger.kernel.org \
    --cc=pbonzini@redhat.com \
    --cc=rkrcmar@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.