Re: [PATCH] KVM: emulator: fix execution close to the segment limit

[Borislav Petkov <bp@suse.de>]

On Mon, Oct 27, 2014 at 03:31:46PM +0100, Paolo Bonzini wrote:
> Emulation of code that is 14 bytes to the segment limit or closer
> (e.g. RIP = 0xFFFFFFF2 after reset) is broken because we try to read as
> many as 15 bytes from the beginning of the instruction, and __linearize
> fails when the passed (address, size) pair reaches out of the segment.
> 
> To fix this, let __linearize return the maximum accessible size (clamped
> to 2^32-1) for usage in __do_insn_fetch_bytes, and avoid the limit check
> by passing zero for the desired size.
> 
> For expand-down segments, __linearize is performing a redundant check.
> (u32)(addr.ea + size - 1) <= lim can only happen if addr.ea is close
> to 4GB; in this case, addr.ea + size - 1 will also fail the check against
> the upper bound of the segment (which is provided by the D/B bit).
> After eliminating the redundant check, it is simple to compute
> the *max_size for expand-down segments too.
> 
> Now that the limit check is done in __do_insn_fetch_bytes, we want
> to inject a general protection fault there if size < op_size (like
> __linearize would have done), instead of just aborting.
> 
> This fixes booting Tiano Core from emulated flash with EPT disabled.
> 
> Cc: stable@vger.kernel.org
> Fixes: 719d5a9b2487e0562f178f61e323c3dc18a8b200
> Reported-by: Borislav Petkov <bp@suse.de>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

Thanks Paolo, the ept=0 case seems to work now. I'll stress it more
later this week.

Tested-by: Borislav Petkov <bp@suse.de>

-- 
Regards/Gruss,
    Boris.

Sent from a fat crate under my desk. Formatting is fine.
--