From: Sean Christopherson <seanjc@google.com>
To: Paolo Bonzini <pbonzini@redhat.com>
Cc: Sean Christopherson <seanjc@google.com>,
Vitaly Kuznetsov <vkuznets@redhat.com>,
Wanpeng Li <wanpengli@tencent.com>,
Jim Mattson <jmattson@google.com>, Joerg Roedel <joro@8bytes.org>,
kvm@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot+f3985126b746b3d59c9d@syzkaller.appspotmail.com,
Alexander Potapenko <glider@google.com>
Subject: [PATCH 0/2] KVM: x86: Fix mostly theoretical undefined behavior
Date: Wed, 29 Sep 2021 15:24:24 -0700 [thread overview]
Message-ID: <20210929222426.1855730-1-seanjc@google.com> (raw)
Fix a mostly theoretical undefined behavior bug due to consuming
uninitialized data when searching for a matching CPUID entry during vCPU
RESET/INIT. The bug is mostly theoretical because it requires very
aggressive inlining from the compiler, as well as deliberate "sabotage"
from the compiler (which _is_ allowed by the C standard) in the face of
known uninitialized data.
Patch 1, the "fix" that is tagged for stable, is all kinds of gross in that
it doesn't directly address uninitialized data, and instead tweaks a low
level CPUID helper to avoid consuming the uninitialized data. I went that
route for the fix so that the fix would be easily/directy consumable
downstream, as porting the fix from v5.15-rcN to literally any other buggy
kernel would require hand coding the fix due to refactoring and code
movement across files.
Patch 2 directly addresses the uninitialized data.
If patch 1 is unpalatable, an alternative would be to do a bit of merge
magic and feed in a fix to initialize "dummy" in svm.c, which was the only
buggy path prior to v5.15-rcN. However, KVM lived from 2012-2020 with
what's effectively the behavior after applying patch 1, and no one noticed
that the behavior was broken in 2020 until v5.15-rc1 introduced the bad
behavior to VMX, i.e. opened up the validation surface to bots that
presumably run the majority of their cycles on Intel CPUs.
Sean Christopherson (2):
KVM: x86: Swap order of CPUID entry "index" vs. "significant flag"
checks
KVM: x86: Manually retrieve CPUID.0x1 when getting FMS for RESET/INIT
arch/x86/kvm/cpuid.c | 4 ++--
arch/x86/kvm/x86.c | 11 +++++------
2 files changed, 7 insertions(+), 8 deletions(-)
--
2.33.0.685.g46640cef36-goog
next reply other threads:[~2021-09-29 22:24 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-29 22:24 Sean Christopherson [this message]
2021-09-29 22:24 ` [PATCH 1/2] KVM: x86: Swap order of CPUID entry "index" vs. "significant flag" checks Sean Christopherson
2021-09-29 22:51 ` Jim Mattson
2021-09-29 22:24 ` [PATCH 2/2] KVM: x86: Manually retrieve CPUID.0x1 when getting FMS for RESET/INIT Sean Christopherson
2021-09-29 22:49 ` Jim Mattson
2021-09-30 8:25 ` Paolo Bonzini
2021-09-30 15:11 ` Sean Christopherson
2021-09-30 16:45 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210929222426.1855730-1-seanjc@google.com \
--to=seanjc@google.com \
--cc=glider@google.com \
--cc=jmattson@google.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=syzbot+f3985126b746b3d59c9d@syzkaller.appspotmail.com \
--cc=vkuznets@redhat.com \
--cc=wanpengli@tencent.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox