From mboxrd@z Thu Jan  1 00:00:00 1970
From: Avi Kivity <avi@redhat.com>
Subject: [PATCH 1/2] KVM: VMX: Fix host GDT.LIMIT corruption
Date: Mon, 26 Jul 2010 18:32:38 +0300
Message-ID: <1280158359-26593-2-git-send-email-avi@redhat.com>
References: <1280158359-26593-1-git-send-email-avi@redhat.com>
To: Marcelo Tosatti <mtosatti@redhat.com>, kvm@vger.kernel.org
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:17790 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1754566Ab0GZPcl (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 26 Jul 2010 11:32:41 -0400
Received: from int-mx05.intmail.prod.int.phx2.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.18])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o6QFWfaD006659
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <kvm@vger.kernel.org>; Mon, 26 Jul 2010 11:32:41 -0400
Received: from cleopatra.tlv.redhat.com (cleopatra.tlv.redhat.com [10.35.255.11])
	by int-mx05.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id o6QFWeHr020284
	for <kvm@vger.kernel.org>; Mon, 26 Jul 2010 11:32:40 -0400
In-Reply-To: <1280158359-26593-1-git-send-email-avi@redhat.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

vmx does not restore GDT.LIMIT to the host value, instead it sets it to 64KB.
This means host userspace can learn a few bits of host memory.

Fix by reloading GDTR when we load other host state.

Signed-off-by: Avi Kivity <avi@redhat.com>
---
 arch/x86/kvm/vmx.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 2fdcc98..27a0222 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -185,6 +185,7 @@ static void kvm_cpu_vmxoff(void);
 static DEFINE_PER_CPU(struct vmcs *, vmxarea);
 static DEFINE_PER_CPU(struct vmcs *, current_vmcs);
 static DEFINE_PER_CPU(struct list_head, vcpus_on_cpu);
+static DEFINE_PER_CPU(struct desc_ptr, host_gdt);
 
 static unsigned long *vmx_io_bitmap_a;
 static unsigned long *vmx_io_bitmap_b;
@@ -871,6 +872,7 @@ static void __vmx_load_host_state(struct vcpu_vmx *vmx)
 #endif
 	if (current_thread_info()->status & TS_USEDFPU)
 		clts();
+	load_gdt(&__get_cpu_var(host_gdt));
 }
 
 static void vmx_load_host_state(struct vcpu_vmx *vmx)
@@ -1379,6 +1381,8 @@ static int hardware_enable(void *garbage)
 		ept_sync_global();
 	}
 
+	store_gdt(&__get_cpu_var(host_gdt));
+
 	return 0;
 }
 
-- 
1.7.1