From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Eugene Korenevsky <ekorenevsky@gmail.com>,
kvm@vger.kernel.org, Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH v3 1/2] kvm: vmx: fix limit checking in get_vmx_mem_address()
Date: Wed, 5 Jun 2019 13:30:01 -0700 [thread overview]
Message-ID: <20190605203001.GF26328@linux.intel.com> (raw)
In-Reply-To: <20190605195729.GA25699@dnote>
On Wed, Jun 05, 2019 at 10:57:29PM +0300, Eugene Korenevsky wrote:
> Intel SDM vol. 3, 5.3:
> The processor causes a
> general-protection exception (or, if the segment is SS, a stack-fault
> exception) any time an attempt is made to access the following addresses
> in a segment:
> - A byte at an offset greater than the effective limit
> - A word at an offset greater than the (effective-limit – 1)
> - A doubleword at an offset greater than the (effective-limit – 3)
> - A quadword at an offset greater than the (effective-limit – 7)
>
> Therefore, the generic limit checking error condition must be
>
> exn = (off > limit + 1 - access_len) = (off + access_len - 1 > limit)
>
> but not
>
> exn = (off + access_len > limit)
>
> as for now.
>
> Note: access length is incorrectly set to sizeof(u64). This will be fixed in
> the subsequent patch.
>
> Signed-off-by: Eugene Korenevsky <ekorenevsky@gmail.com>
> ---
> Changes in v3 since v2: fixed limit checking condition to avoid underflow;
> added note
>
> arch/x86/kvm/vmx/nested.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index f1a69117ac0f..93df72597c72 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -4115,7 +4115,7 @@ int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification,
> */
> if (!(s.base == 0 && s.limit == 0xffffffff &&
> ((s.type & 8) || !(s.type & 4))))
> - exn = exn || (off + sizeof(u64) > s.limit);
> + exn = exn || (off + sizeof(u64) - 1 > s.limit);
This still has a wrap bug in 32-bit KVM, e.g. off == 0xffffffff will
incorrectly pass the limit check due to wrapping its unsigned long.
> }
> if (exn) {
> kvm_queue_exception_e(vcpu,
> --
> 2.21.0
>
prev parent reply other threads:[~2019-06-05 20:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-05 19:57 [PATCH v3 1/2] kvm: vmx: fix limit checking in get_vmx_mem_address() Eugene Korenevsky
2019-06-05 20:30 ` Sean Christopherson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190605203001.GF26328@linux.intel.com \
--to=sean.j.christopherson@intel.com \
--cc=ekorenevsky@gmail.com \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox