From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Yang, Sheng" Subject: [PATCH] KVM: emulator: Only allow VMCALL/VMMCALL trapped by #UD Date: Fri, 4 Jan 2008 09:36:08 +0800 Message-ID: <200801040936.08670.sheng.yang@intel.com> Mime-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_I2YfHp7Qi7bC7lH" Cc: Eric Liu To: kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org Return-path: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kvm-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org Errors-To: kvm-devel-bounces-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org List-Id: kvm.vger.kernel.org --Boundary-00=_I2YfHp7Qi7bC7lH Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline =46rom 9743b5299bae1779c2b893cbeb86122bcccb9b2d Mon Sep 17 00:00:00 2001 =46rom: Sheng Yang Date: Wed, 2 Jan 2008 14:49:22 +0800 Subject: [PATCH] KVM: emulator: Only allow VMCALL/VMMCALL trapped by #UD When executing a test program called "crashme", we found the KVM guest cann= ot=20 survived more than ten seconds, then encounterd kernel panic. The basic=20 concept of "crashme" is graduating random assembly code and trying to execu= te=20 them in a fork process. After some fix on emulator valid judgment, we found it's hard to get the=20 current emulator handle the invalid instructions correctly, for the #UD tra= p=20 for hypercall patching caused troubles. The problem is, if the opcode itsel= f=20 was OK, but combination of opcode and modrm_reg was invalid, and one operan= d=20 of the opcode was memory(SrcMem or DstMem), emulator would fetched the memo= ry=20 operand first rather than judged the validity, and may encounter error ther= e.=20 =46or example, ".byte 0xfe, 0x34, 0xcd" got this trouble. In the patch, we simply check that if the invalid opcode isn't vmcall/vmmca= ll,=20 then return from emulate_instruction() and inject a #UD to guest. With the= =20 patch, the guest had been run for more than 12 hours. Signed-off-by: Feng (Eric) Liu Signed-off-by: Sheng Yang =2D-- arch/x86/kvm/svm.c | 2 +- arch/x86/kvm/vmx.c | 2 +- arch/x86/kvm/x86.c | 18 +++++++++++++++--- include/asm-x86/kvm_host.h | 4 +++- 4 files changed, 20 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c index 11e5baf..2da9e11 100644 =2D-- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -942,7 +942,7 @@ static int ud_interception(struct vcpu_svm *svm, struct= =20 kvm_run *kvm_run) { int er; =20 =2D er =3D emulate_instruction(&svm->vcpu, kvm_run, 0, 0, 0); + er =3D emulate_instruction(&svm->vcpu, kvm_run, 0, 0, EMULTYPE_TRAP_UD); if (er !=3D EMULATE_DONE) kvm_queue_exception(&svm->vcpu, UD_VECTOR); return 1; diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index 4741806..5346e42 100644 =2D-- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -1862,7 +1862,7 @@ static int handle_exception(struct kvm_vcpu *vcpu,=20 struct kvm_run *kvm_run) } =20 if (is_invalid_opcode(intr_info)) { =2D er =3D emulate_instruction(vcpu, kvm_run, 0, 0, 0); + er =3D emulate_instruction(vcpu, kvm_run, 0, 0, EMULTYPE_TRAP_UD); if (er !=3D EMULATE_DONE) kvm_queue_exception(vcpu, UD_VECTOR); return 1; diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index c5b4825..2a659ce 100644 =2D-- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1840,9 +1840,10 @@ int emulate_instruction(struct kvm_vcpu *vcpu, struct kvm_run *run, unsigned long cr2, u16 error_code, =2D int no_decode) + int emulation_type) { int r; + struct decode_cache *c; =20 vcpu->arch.mmio_fault_cr2 =3D cr2; kvm_x86_ops->cache_regs(vcpu); @@ -1850,7 +1851,7 @@ int emulate_instruction(struct kvm_vcpu *vcpu, vcpu->mmio_is_write =3D 0; vcpu->arch.pio.string =3D 0; =20 =2D if (!no_decode) { + if (!(emulation_type & EMULTYPE_NO_DECODE)) { int cs_db, cs_l; kvm_x86_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l); =20 @@ -1884,6 +1885,16 @@ int emulate_instruction(struct kvm_vcpu *vcpu, get_segment_base(vcpu, VCPU_SREG_FS); =20 r =3D x86_decode_insn(&vcpu->arch.emulate_ctxt, &emulate_ops); + + /* Reject the instructions other than VMCALL/VMMCALL when + * try to emulate invalid opcode */ + c =3D &vcpu->arch.emulate_ctxt.decode; + if ((emulation_type & EMULTYPE_TRAP_UD) && + (!(c->twobyte && c->b =3D=3D 0x01 && + (c->modrm_reg =3D=3D 0 || c->modrm_reg =3D=3D 3) && + c->modrm_mod =3D=3D 3 && c->modrm_rm =3D=3D 1))) + return EMULATE_FAIL; + ++vcpu->stat.insn_emulation; if (r) { ++vcpu->stat.insn_emulation_fail; @@ -2639,7 +2650,8 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu,=20 struct kvm_run *kvm_run) vcpu->mmio_read_completed =3D 1; vcpu->mmio_needed =3D 0; r =3D emulate_instruction(vcpu, kvm_run, =2D vcpu->arch.mmio_fault_cr2, 0, 1); + vcpu->arch.mmio_fault_cr2, 0, + EMULTYPE_NO_DECODE); if (r =3D=3D EMULATE_DO_MMIO) { /* * Read-modify-write. Back to userspace. diff --git a/include/asm-x86/kvm_host.h b/include/asm-x86/kvm_host.h index 20597bc..4702b04 100644 =2D-- a/include/asm-x86/kvm_host.h +++ b/include/asm-x86/kvm_host.h @@ -415,8 +415,10 @@ enum emulation_result { EMULATE_FAIL, /* can't emulate this instruction */ }; =20 +#define EMULTYPE_NO_DECODE (1 << 0) +#define EMULTYPE_TRAP_UD (1 << 1) int emulate_instruction(struct kvm_vcpu *vcpu, struct kvm_run *run, =2D unsigned long cr2, u16 error_code, int no_decode); + unsigned long cr2, u16 error_code, int emulation_type); void kvm_report_emulation_failure(struct kvm_vcpu *cvpu, const char=20 *context); void realmode_lgdt(struct kvm_vcpu *vcpu, u16 size, unsigned long address); void realmode_lidt(struct kvm_vcpu *vcpu, u16 size, unsigned long address); =2D-=20 1.5.3.4 --Boundary-00=_I2YfHp7Qi7bC7lH Content-Type: text/x-diff; charset="utf-8"; name="0001-KVM-emulator-Only-allow-VMCALL-VMMCALL-trapped-by.patch" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="0001-KVM-emulator-Only-allow-VMCALL-VMMCALL-trapped-by.patch" =46rom 9743b5299bae1779c2b893cbeb86122bcccb9b2d Mon Sep 17 00:00:00 2001 =46rom: Sheng Yang Date: Wed, 2 Jan 2008 14:49:22 +0800 Subject: [PATCH] KVM: emulator: Only allow VMCALL/VMMCALL trapped by #UD When executing a test program called "crashme", we found the KVM guest cann= ot survived more than ten seconds, then encounterd kernel panic. The basic = concept of "crashme" is graduating random assembly code and trying to execu= te them. After some fix on emulator valid judgment, we found it's hard to get the cu= rrent emulator handle the invalid instructions correctly, for the #UD trap = for hypercall patching caused troubles. The problem is, if the opcode itsel= f was OK, but combination of opcode and modrm_reg was invalid, and one oper= and of the opcode was memory(SrcMem or DstMem), emulator would fetched the = memory operand first rather than judged the validity, and may encounter err= or there. For example, ".byte 0xfe, 0x34, 0xcd" got this trouble. In the patch, we simply checked that if the invalid opcode wasn't vmcall/vm= mcall, then return from emulate_instruction() and inject a #UD to guest. Wi= th the patch, the guest had been running for more than 12 hours. Signed-off-by: Feng (Eric) Liu Signed-off-by: Sheng Yang =2D-- arch/x86/kvm/svm.c | 2 +- arch/x86/kvm/vmx.c | 2 +- arch/x86/kvm/x86.c | 18 +++++++++++++++--- include/asm-x86/kvm_host.h | 4 +++- 4 files changed, 20 insertions(+), 6 deletions(-) diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c index 11e5baf..2da9e11 100644 =2D-- a/arch/x86/kvm/svm.c +++ b/arch/x86/kvm/svm.c @@ -942,7 +942,7 @@ static int ud_interception(struct vcpu_svm *svm, struct= kvm_run *kvm_run) { int er; =20 =2D er =3D emulate_instruction(&svm->vcpu, kvm_run, 0, 0, 0); + er =3D emulate_instruction(&svm->vcpu, kvm_run, 0, 0, EMULTYPE_TRAP_UD); if (er !=3D EMULATE_DONE) kvm_queue_exception(&svm->vcpu, UD_VECTOR); return 1; diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index 4741806..5346e42 100644 =2D-- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -1862,7 +1862,7 @@ static int handle_exception(struct kvm_vcpu *vcpu, st= ruct kvm_run *kvm_run) } =20 if (is_invalid_opcode(intr_info)) { =2D er =3D emulate_instruction(vcpu, kvm_run, 0, 0, 0); + er =3D emulate_instruction(vcpu, kvm_run, 0, 0, EMULTYPE_TRAP_UD); if (er !=3D EMULATE_DONE) kvm_queue_exception(vcpu, UD_VECTOR); return 1; diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index c5b4825..2a659ce 100644 =2D-- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1840,9 +1840,10 @@ int emulate_instruction(struct kvm_vcpu *vcpu, struct kvm_run *run, unsigned long cr2, u16 error_code, =2D int no_decode) + int emulation_type) { int r; + struct decode_cache *c; =20 vcpu->arch.mmio_fault_cr2 =3D cr2; kvm_x86_ops->cache_regs(vcpu); @@ -1850,7 +1851,7 @@ int emulate_instruction(struct kvm_vcpu *vcpu, vcpu->mmio_is_write =3D 0; vcpu->arch.pio.string =3D 0; =20 =2D if (!no_decode) { + if (!(emulation_type & EMULTYPE_NO_DECODE)) { int cs_db, cs_l; kvm_x86_ops->get_cs_db_l_bits(vcpu, &cs_db, &cs_l); =20 @@ -1884,6 +1885,16 @@ int emulate_instruction(struct kvm_vcpu *vcpu, get_segment_base(vcpu, VCPU_SREG_FS); =20 r =3D x86_decode_insn(&vcpu->arch.emulate_ctxt, &emulate_ops); + + /* Reject the instructions other than VMCALL/VMMCALL when + * try to emulate invalid opcode */ + c =3D &vcpu->arch.emulate_ctxt.decode; + if ((emulation_type & EMULTYPE_TRAP_UD) && + (!(c->twobyte && c->b =3D=3D 0x01 && + (c->modrm_reg =3D=3D 0 || c->modrm_reg =3D=3D 3) && + c->modrm_mod =3D=3D 3 && c->modrm_rm =3D=3D 1))) + return EMULATE_FAIL; + ++vcpu->stat.insn_emulation; if (r) { ++vcpu->stat.insn_emulation_fail; @@ -2639,7 +2650,8 @@ int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, st= ruct kvm_run *kvm_run) vcpu->mmio_read_completed =3D 1; vcpu->mmio_needed =3D 0; r =3D emulate_instruction(vcpu, kvm_run, =2D vcpu->arch.mmio_fault_cr2, 0, 1); + vcpu->arch.mmio_fault_cr2, 0, + EMULTYPE_NO_DECODE); if (r =3D=3D EMULATE_DO_MMIO) { /* * Read-modify-write. Back to userspace. diff --git a/include/asm-x86/kvm_host.h b/include/asm-x86/kvm_host.h index 20597bc..4702b04 100644 =2D-- a/include/asm-x86/kvm_host.h +++ b/include/asm-x86/kvm_host.h @@ -415,8 +415,10 @@ enum emulation_result { EMULATE_FAIL, /* can't emulate this instruction */ }; =20 +#define EMULTYPE_NO_DECODE (1 << 0) +#define EMULTYPE_TRAP_UD (1 << 1) int emulate_instruction(struct kvm_vcpu *vcpu, struct kvm_run *run, =2D unsigned long cr2, u16 error_code, int no_decode); + unsigned long cr2, u16 error_code, int emulation_type); void kvm_report_emulation_failure(struct kvm_vcpu *cvpu, const char *conte= xt); void realmode_lgdt(struct kvm_vcpu *vcpu, u16 size, unsigned long address); void realmode_lidt(struct kvm_vcpu *vcpu, u16 size, unsigned long address); =2D-=20 1.5.3.4 --Boundary-00=_I2YfHp7Qi7bC7lH Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ --Boundary-00=_I2YfHp7Qi7bC7lH Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ kvm-devel mailing list kvm-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org https://lists.sourceforge.net/lists/listinfo/kvm-devel --Boundary-00=_I2YfHp7Qi7bC7lH--