* [PATCH 1/2] KVM: VMX: Fix host GDT.LIMIT corruption
2010-07-26 15:32 [PATCH 0/2] Fix GDT limit corruption on Intel Avi Kivity
@ 2010-07-26 15:32 ` Avi Kivity
2010-07-26 15:32 ` [PATCH 2/2] KVM: VMX: Use host_gdt variable wherever we need the host gdt Avi Kivity
2010-07-28 0:25 ` [PATCH 0/2] Fix GDT limit corruption on Intel Marcelo Tosatti
2 siblings, 0 replies; 4+ messages in thread
From: Avi Kivity @ 2010-07-26 15:32 UTC (permalink / raw)
To: Marcelo Tosatti, kvm
vmx does not restore GDT.LIMIT to the host value, instead it sets it to 64KB.
This means host userspace can learn a few bits of host memory.
Fix by reloading GDTR when we load other host state.
Signed-off-by: Avi Kivity <avi@redhat.com>
---
arch/x86/kvm/vmx.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 2fdcc98..27a0222 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -185,6 +185,7 @@ static void kvm_cpu_vmxoff(void);
static DEFINE_PER_CPU(struct vmcs *, vmxarea);
static DEFINE_PER_CPU(struct vmcs *, current_vmcs);
static DEFINE_PER_CPU(struct list_head, vcpus_on_cpu);
+static DEFINE_PER_CPU(struct desc_ptr, host_gdt);
static unsigned long *vmx_io_bitmap_a;
static unsigned long *vmx_io_bitmap_b;
@@ -871,6 +872,7 @@ static void __vmx_load_host_state(struct vcpu_vmx *vmx)
#endif
if (current_thread_info()->status & TS_USEDFPU)
clts();
+ load_gdt(&__get_cpu_var(host_gdt));
}
static void vmx_load_host_state(struct vcpu_vmx *vmx)
@@ -1379,6 +1381,8 @@ static int hardware_enable(void *garbage)
ept_sync_global();
}
+ store_gdt(&__get_cpu_var(host_gdt));
+
return 0;
}
--
1.7.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] KVM: VMX: Use host_gdt variable wherever we need the host gdt
2010-07-26 15:32 [PATCH 0/2] Fix GDT limit corruption on Intel Avi Kivity
2010-07-26 15:32 ` [PATCH 1/2] KVM: VMX: Fix host GDT.LIMIT corruption Avi Kivity
@ 2010-07-26 15:32 ` Avi Kivity
2010-07-28 0:25 ` [PATCH 0/2] Fix GDT limit corruption on Intel Marcelo Tosatti
2 siblings, 0 replies; 4+ messages in thread
From: Avi Kivity @ 2010-07-26 15:32 UTC (permalink / raw)
To: Marcelo Tosatti, kvm
Now that we have the host gdt conveniently stored in a variable, make use
of it instead of querying the cpu.
Signed-off-by: Avi Kivity <avi@redhat.com>
---
arch/x86/kvm/vmx.c | 15 ++++++---------
1 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 27a0222..cf56462 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -706,11 +706,10 @@ static void reload_tss(void)
/*
* VT restores TR but not its size. Useless.
*/
- struct desc_ptr gdt;
+ struct desc_ptr *gdt = &__get_cpu_var(host_gdt);
struct desc_struct *descs;
- native_store_gdt(&gdt);
- descs = (void *)gdt.address;
+ descs = (void *)gdt->address;
descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
load_TR_desc();
}
@@ -753,7 +752,7 @@ static bool update_transition_efer(struct vcpu_vmx *vmx, int efer_offset)
static unsigned long segment_base(u16 selector)
{
- struct desc_ptr gdt;
+ struct desc_ptr *gdt = &__get_cpu_var(host_gdt);
struct desc_struct *d;
unsigned long table_base;
unsigned long v;
@@ -761,8 +760,7 @@ static unsigned long segment_base(u16 selector)
if (!(selector & ~3))
return 0;
- native_store_gdt(&gdt);
- table_base = gdt.address;
+ table_base = gdt->address;
if (selector & 4) { /* from ldt */
u16 ldt_selector = kvm_read_ldt();
@@ -903,7 +901,7 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
}
if (vcpu->cpu != cpu) {
- struct desc_ptr dt;
+ struct desc_ptr *gdt = &__get_cpu_var(host_gdt);
unsigned long sysenter_esp;
kvm_migrate_timers(vcpu);
@@ -919,8 +917,7 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
* processors.
*/
vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */
- native_store_gdt(&dt);
- vmcs_writel(HOST_GDTR_BASE, dt.address); /* 22.2.4 */
+ vmcs_writel(HOST_GDTR_BASE, gdt->address); /* 22.2.4 */
rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp);
vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */
--
1.7.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH 0/2] Fix GDT limit corruption on Intel
2010-07-26 15:32 [PATCH 0/2] Fix GDT limit corruption on Intel Avi Kivity
2010-07-26 15:32 ` [PATCH 1/2] KVM: VMX: Fix host GDT.LIMIT corruption Avi Kivity
2010-07-26 15:32 ` [PATCH 2/2] KVM: VMX: Use host_gdt variable wherever we need the host gdt Avi Kivity
@ 2010-07-28 0:25 ` Marcelo Tosatti
2 siblings, 0 replies; 4+ messages in thread
From: Marcelo Tosatti @ 2010-07-28 0:25 UTC (permalink / raw)
To: Avi Kivity; +Cc: kvm
On Mon, Jul 26, 2010 at 06:32:37PM +0300, Avi Kivity wrote:
> Intel vmx does not restore GDT.LIMIT; this allows host userspace to look at
> some host kernel bits by loading a segment register and looking whether a
> trap happened or not.
>
> Fix that by reloading GDT on heavyweight exits.
>
> Avi Kivity (2):
> KVM: VMX: Fix host GDT.LIMIT corruption
> KVM: VMX: Use host_gdt variable wherever we need the host gdt
>
> arch/x86/kvm/vmx.c | 19 ++++++++++---------
> 1 files changed, 10 insertions(+), 9 deletions(-)
Applied, thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread