[PATCH 2/2] kvm: pr_guest: don't let guest invoke printk() on host

[Rusty Russell <rusty-8n+1lVoiYb80n/F98K4Iww@public.gmane.org>]

If the guest can invoke a printk(), it can potentially flood the logs,
causing a host DoS.  We should also indicate *which* guest we're
talking about.

This patch adds pr_guest (analogous to pr_debug) which ratelimits.
Not all printk's were replaced: some are only printed once and others
should probably be replaced by BUG().  I removed the kvm_printf in
init_rmode_tss: it says nothing that the return value doesn't say.

Coders should be aware that printing in the logs is not particularly
useful except to give feedback to developers. ie. "should not be used
for chit-chat".

Signed-off-by: Rusty Russell <rusty-8n+1lVoiYb80n/F98K4Iww@public.gmane.org>

diff -r 3f158ee9df43 drivers/kvm/kvm.h
--- a/drivers/kvm/kvm.h	Tue Jul 24 16:22:39 2007 +1000
+++ b/drivers/kvm/kvm.h	Tue Jul 24 17:01:15 2007 +1000
@@ -503,8 +503,18 @@ struct kvm_arch_ops {
 
 extern struct kvm_arch_ops *kvm_arch_ops;
 
-#define kvm_printf(kvm, fmt ...) printk(KERN_DEBUG fmt)
-#define vcpu_printf(vcpu, fmt...) kvm_printf(vcpu->kvm, fmt)
+/* The guest did something wrong/strange.  Returns true if printed. */
+#define pr_guest(vcpu, fmt, ...)					\
+	({								\
+		int __r = 0;						\
+		if (printk_ratelimit()) {				\
+			printk(KERN_WARNING "kvm: %i: cpu%i " fmt,	\
+			       current->tgid, (vcpu)->vcpu_id		\
+			       , ## __VA_ARGS__);			\
+			__r = 1;					\
+		}							\
+		__r;							\
+	})
 
 int kvm_init_arch(struct kvm_arch_ops *ops, struct module *module);
 void kvm_exit_arch(void);
diff -r 3f158ee9df43 drivers/kvm/kvm_main.c
--- a/drivers/kvm/kvm_main.c	Tue Jul 24 16:22:39 2007 +1000
+++ b/drivers/kvm/kvm_main.c	Tue Jul 24 16:28:33 2007 +1000
@@ -425,8 +425,8 @@ inject_gp(struct kvm_vcpu *vcpu, const c
 	va_list args;
 
 	va_start(args, why_fmt);
-	printk(KERN_DEBUG "kvm: #GP ");
-	vprintk(why_fmt, args);
+	if (pr_guest(vcpu, "#GP "))
+		vprintk(why_fmt, args);
 	va_end(args);
 	kvm_arch_ops->inject_gp(vcpu, 0);
 }
@@ -995,8 +995,8 @@ static int emulator_write_std(unsigned l
 			      unsigned int bytes,
 			      struct x86_emulate_ctxt *ctxt)
 {
-	printk(KERN_ERR "emulator_write_std: addr %lx n %d\n",
-	       addr, bytes);
+	pr_guest(ctxt->vcpu,
+		 "emulator_write_std: addr %lx n %d\n", addr, bytes);
 	return X86EMUL_UNHANDLEABLE;
 }
 
@@ -1173,7 +1173,7 @@ int emulator_get_dr(struct x86_emulate_c
 		*dest = kvm_arch_ops->get_dr(vcpu, dr);
 		return X86EMUL_CONTINUE;
 	default:
-		printk(KERN_DEBUG "%s: unexpected dr %u\n",
+		pr_guest(vcpu, "%s: unexpected dr %u\n",
 		       __FUNCTION__, dr);
 		return X86EMUL_UNHANDLEABLE;
 	}
@@ -1386,7 +1386,7 @@ unsigned long realmode_get_cr(struct kvm
 	case 4:
 		return vcpu->cr4;
 	default:
-		vcpu_printf(vcpu, "%s: unexpected cr %u\n", __FUNCTION__, cr);
+		pr_guest(vcpu, "%s: unexpected cr %u\n", __FUNCTION__, cr);
 		return 0;
 	}
 }
@@ -1409,7 +1409,7 @@ void realmode_set_cr(struct kvm_vcpu *vc
 		set_cr4(vcpu, mk_cr_64(vcpu->cr4, val));
 		break;
 	default:
-		vcpu_printf(vcpu, "%s: unexpected cr %u\n", __FUNCTION__, cr);
+		pr_guest(vcpu, "%s: unexpected cr %u\n", __FUNCTION__, cr);
 	}
 }
 
@@ -1523,7 +1523,7 @@ int kvm_get_msr_common(struct kvm_vcpu *
 		break;
 #endif
 	default:
-		printk(KERN_ERR "kvm: unhandled rdmsr: 0x%x\n", msr);
+		pr_guest(vcpu, "unhandled rdmsr: 0x%x\n", msr);
 		return 1;
 	}
 	*pdata = data;
@@ -1575,11 +1575,11 @@ int kvm_set_msr_common(struct kvm_vcpu *
 		break;
 #endif
 	case MSR_IA32_MC0_STATUS:
-		printk(KERN_WARNING "%s: MSR_IA32_MC0_STATUS 0x%llx, nop\n",
+		pr_guest(vcpu, "%s: MSR_IA32_MC0_STATUS 0x%llx, nop\n",
 		       __FUNCTION__, data);
 		break;
 	case MSR_IA32_MCG_STATUS:
-		printk(KERN_WARNING "%s: MSR_IA32_MCG_STATUS 0x%llx, nop\n",
+		pr_guest(vcpu, "%s: MSR_IA32_MCG_STATUS 0x%llx, nop\n",
 			__FUNCTION__, data);
 		break;
 	case MSR_IA32_UCODE_REV:
@@ -1599,7 +1599,7 @@ int kvm_set_msr_common(struct kvm_vcpu *
 		return vcpu_register_para(vcpu, data);
 
 	default:
-		printk(KERN_ERR "kvm: unhandled wrmsr: 0x%x\n", msr);
+		pr_guest(vcpu, "unhandled wrmsr: 0x%x\n", msr);
 		return 1;
 	}
 	return 0;
@@ -1884,7 +1884,7 @@ int kvm_setup_pio(struct kvm_vcpu *vcpu,
 				ret = 1;
 		}
 	} else if (pio_dev)
-		printk(KERN_ERR "no string pio read support yet, "
+		pr_guest(vcpu, "no string pio read support yet, "
 		       "port %x size %d count %ld\n",
 			port, size, count);
 
diff -r 3f158ee9df43 drivers/kvm/svm.c
--- a/drivers/kvm/svm.c	Tue Jul 24 16:22:39 2007 +1000
+++ b/drivers/kvm/svm.c	Tue Jul 24 16:30:26 2007 +1000
@@ -229,11 +229,11 @@ static void skip_emulated_instruction(st
 static void skip_emulated_instruction(struct kvm_vcpu *vcpu)
 {
 	if (!vcpu->svm->next_rip) {
-		printk(KERN_DEBUG "%s: NOP\n", __FUNCTION__);
+		pr_guest(vcpu, "%s: NOP\n", __FUNCTION__);
 		return;
 	}
 	if (vcpu->svm->next_rip - vcpu->svm->vmcb->save.rip > 15) {
-		printk(KERN_ERR "%s: ip 0x%llx next 0x%llx\n",
+		pr_guest(vcpu, "%s: ip 0x%llx next 0x%llx\n",
 		       __FUNCTION__,
 		       vcpu->svm->vmcb->save.rip,
 		       vcpu->svm->next_rip);
@@ -889,7 +889,7 @@ static void svm_set_dr(struct kvm_vcpu *
 		return;
 	}
 	default:
-		printk(KERN_DEBUG "%s: unexpected dr %u\n",
+		pr_guest(vcpu, "%s: unexpected dr %u\n",
 		       __FUNCTION__, dr);
 		*exception = UD_VECTOR;
 		return;
@@ -930,7 +930,7 @@ static int pf_interception(struct kvm_vc
 		++vcpu->stat.mmio_exits;
 		return 0;
 	case EMULATE_FAIL:
-		vcpu_printf(vcpu, "%s: emulate fail\n", __FUNCTION__);
+		pr_guest(vcpu, "%s: emulate fail\n", __FUNCTION__);
 		break;
 	default:
 		BUG();
@@ -977,7 +977,7 @@ static int io_get_override(struct kvm_vc
 	rip += vcpu->svm->vmcb->save.cs.base;
 
 	if (ins_length > MAX_INST_SIZE)
-		printk(KERN_DEBUG
+		pr_guest(vcpu,
 		       "%s: inst length err, cs base 0x%llx rip 0x%llx "
 		       "next rip 0x%llx ins_length %u\n",
 		       __FUNCTION__,
@@ -1093,7 +1093,7 @@ static int io_interception(struct kvm_vc
 
 		addr_mask = io_adress(vcpu, in, &address);
 		if (!addr_mask) {
-			printk(KERN_DEBUG "%s: get io address failed\n",
+			pr_guest(vcpu, "%s: get io address failed\n",
 			       __FUNCTION__);
 			return 1;
 		}
@@ -1132,7 +1132,7 @@ static int invalid_op_interception(struc
 
 static int task_switch_interception(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
 {
-	printk(KERN_DEBUG "%s: task swiche is unsupported\n", __FUNCTION__);
+	pr_guest(vcpu, "%s: task swiche is unsupported\n", __FUNCTION__);
 	kvm_run->exit_reason = KVM_EXIT_UNKNOWN;
 	return 0;
 }
@@ -1147,7 +1147,7 @@ static int emulate_on_interception(struc
 static int emulate_on_interception(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run)
 {
 	if (emulate_instruction(vcpu, NULL, 0, 0) != EMULATE_DONE)
-		printk(KERN_ERR "%s: failed\n", __FUNCTION__);
+		pr_guest(vcpu, "%s: failed\n", __FUNCTION__);
 	return 1;
 }
 
diff -r 3f158ee9df43 drivers/kvm/vmx.c
--- a/drivers/kvm/vmx.c	Tue Jul 24 16:22:39 2007 +1000
+++ b/drivers/kvm/vmx.c	Tue Jul 24 16:22:51 2007 +1000
@@ -488,7 +488,7 @@ static void skip_emulated_instruction(st
 
 static void vmx_inject_gp(struct kvm_vcpu *vcpu, unsigned error_code)
 {
-	printk(KERN_DEBUG "inject_general_protection: rip 0x%lx\n",
+	pr_guest(vcpu, "inject_general_protection: rip 0x%lx\n",
 	       vmcs_readl(GUEST_RIP));
 	vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, error_code);
 	vmcs_write32(VM_ENTRY_INTR_INFO_FIELD,
@@ -966,7 +966,7 @@ static void enter_lmode(struct kvm_vcpu 
 
 	guest_tr_ar = vmcs_read32(GUEST_TR_AR_BYTES);
 	if ((guest_tr_ar & AR_TYPE_MASK) != AR_TYPE_BUSY_64_TSS) {
-		printk(KERN_DEBUG "%s: tss fixup for long mode. \n",
+		pr_guest(vcpu, "%s: tss fixup for long mode.\n",
 		       __FUNCTION__);
 		vmcs_write32(GUEST_TR_AR_BYTES,
 			     (guest_tr_ar & ~AR_TYPE_MASK)
@@ -1188,10 +1188,8 @@ static int init_rmode_tss(struct kvm* kv
 	p2 = gfn_to_page(kvm, fn++);
 	p3 = gfn_to_page(kvm, fn);
 
-	if (!p1 || !p2 || !p3) {
-		kvm_printf(kvm,"%s: gfn_to_page failed\n", __FUNCTION__);
+	if (!p1 || !p2 || !p3)
 		return 0;
-	}
 
 	page = kmap_atomic(p1, KM_USER0);
 	clear_page(page);
@@ -1435,7 +1433,7 @@ static void inject_rmode_irq(struct kvm_
 	u32 ss_limit = vmcs_read32(GUEST_SS_LIMIT);
 
 	if (sp > ss_limit || sp < 6 ) {
-		vcpu_printf(vcpu, "%s: #SS, rsp 0x%lx ss 0x%lx limit 0x%x\n",
+		pr_guest(vcpu, "%s: #SS, rsp 0x%lx ss 0x%lx limit 0x%x\n",
 			    __FUNCTION__,
 			    vmcs_readl(GUEST_RSP),
 			    vmcs_readl(GUEST_SS_BASE),
@@ -1445,7 +1443,7 @@ static void inject_rmode_irq(struct kvm_
 
 	if (kvm_read_guest(vcpu, irq * sizeof(ent), sizeof(ent), &ent) !=
 								sizeof(ent)) {
-		vcpu_printf(vcpu, "%s: read guest err\n", __FUNCTION__);
+		pr_guest(vcpu, "%s: read guest err\n", __FUNCTION__);
 		return;
 	}
 
@@ -1457,7 +1455,7 @@ static void inject_rmode_irq(struct kvm_
 	if (kvm_write_guest(vcpu, ss_base + sp - 2, 2, &flags) != 2 ||
 	    kvm_write_guest(vcpu, ss_base + sp - 4, 2, &cs) != 2 ||
 	    kvm_write_guest(vcpu, ss_base + sp - 6, 2, &ip) != 2) {
-		vcpu_printf(vcpu, "%s: write guest err\n", __FUNCTION__);
+		pr_guest(vcpu, "%s: write guest err\n", __FUNCTION__);
 		return;
 	}
 
@@ -1612,7 +1610,7 @@ static int handle_exception(struct kvm_v
 			++vcpu->stat.mmio_exits;
 			return 0;
 		 case EMULATE_FAIL:
-			vcpu_printf(vcpu, "%s: emulate fail\n", __FUNCTION__);
+			pr_guest(vcpu, "%s: emulate fail\n", __FUNCTION__);
 			break;
 		default:
 			BUG();
@@ -1807,7 +1805,7 @@ static int handle_cr(struct kvm_vcpu *vc
 		break;
 	}
 	kvm_run->exit_reason = 0;
-	printk(KERN_ERR "kvm: unhandled control register: op %d cr %d\n",
+	pr_guest(vcpu, "unhandled control register: op %d cr %d\n",
 	       (int)(exit_qualification >> 4) & 3, cr);
 	return 0;
 }
@@ -2201,7 +2199,7 @@ static void vmx_inject_page_fault(struct
 	++vcpu->stat.pf_guest;
 
 	if (is_page_fault(vect_info)) {
-		printk(KERN_DEBUG "inject_page_fault: "
+		pr_guest(vcpu, "inject_page_fault: "
 		       "double fault 0x%lx @ 0x%lx\n",
 		       addr, vmcs_readl(GUEST_RIP));
 		vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, 0);



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/