From: Sean Christopherson <seanjc@google.com>
To: Zhenzhong Duan <zhenzhong.duan@intel.com>
Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
pbonzini@redhat.com, vkuznets@redhat.com, wanpengli@tencent.com,
jmattson@google.com, joro@8bytes.org
Subject: Re: [PATCH] KVM: VMX: Fix a TSX_CTRL_CPUID_CLEAR field mask issue
Date: Wed, 8 Sep 2021 00:07:38 +0000 [thread overview]
Message-ID: <YTf+ygFFLWdHXHX3@google.com> (raw)
In-Reply-To: <20210906014323.170235-1-zhenzhong.duan@intel.com>
On Mon, Sep 06, 2021, Zhenzhong Duan wrote:
> Host value of TSX_CTRL_CPUID_CLEAR field should be unchangable by guest,
> but the mask for this purpose is set to a wrong value. So it doesn't
> take effect.
It would be helpful to provide a bit more info as to just how bad/boneheaded this
bug is. E.g.
When updating the host's mask for its MSR_IA32_TSX_CTRL user return entry,
clear the mask in the found uret MSR instead of vmx->guest_uret_msrs[i].
Modifying guest_uret_msrs directly is completely broken as 'i' does not
point at the MSR_IA32_TSX_CTRL entry. In fact, it's guaranteed to be an
out-of-bounds accesses as is always set to kvm_nr_uret_msrs in a prior
loop. By sheer dumb luck, the fallout is limited to "only" failing to
preserve the host's TSX_CTRL_CPUID_CLEAR. The out-of-bounds access is
benign as it's guaranteed to clear a bit in a guest MSR value, which are
always zero at vCPU creation on both x86-64 and i386.
> Fixes: 8ea8b8d6f869 ("KVM: VMX: Use common x86's uret MSR list as the one true list")
Cc: stable@vger.kernel.org
> Signed-off-by: Zhenzhong Duan <zhenzhong.duan@intel.com>
> ---
> arch/x86/kvm/vmx/vmx.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> index 927a552393b9..36588b5feee6 100644
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
> @@ -6812,7 +6812,7 @@ static int vmx_create_vcpu(struct kvm_vcpu *vcpu)
> */
> tsx_ctrl = vmx_find_uret_msr(vmx, MSR_IA32_TSX_CTRL);
> if (tsx_ctrl)
> - vmx->guest_uret_msrs[i].mask = ~(u64)TSX_CTRL_CPUID_CLEAR;
> + tsx_ctrl->mask = ~(u64)TSX_CTRL_CPUID_CLEAR;
Egad, that's a horrific oversight on my part.
Reviewed-by: Sean Christopherson <seanjc@google.com>
next prev parent reply other threads:[~2021-09-08 0:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-06 1:43 [PATCH] KVM: VMX: Fix a TSX_CTRL_CPUID_CLEAR field mask issue Zhenzhong Duan
2021-09-08 0:07 ` Sean Christopherson [this message]
2021-09-26 1:43 ` Duan, Zhenzhong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YTf+ygFFLWdHXHX3@google.com \
--to=seanjc@google.com \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
--cc=zhenzhong.duan@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.