From mboxrd@z Thu Jan  1 00:00:00 1970
From: Antoine Martin <antoine@nagafix.co.uk>
Subject: Re: kvm ptrace 32bit DoS bug - bisected
Date: Sat, 17 Oct 2009 20:24:46 +0700
Message-ID: <4AD9C59E.7000100@nagafix.co.uk>
References: <4AA26A86.8060908@nagafix.co.uk> <20090905204336.GA6991@amt.cnet> <4AA366AA.7010806@nagafix.co.uk> <4AA369A8.3040008@nagafix.co.uk> <20090908163312.GA18155@amt.cnet> <4AA68C1F.1010704@web.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: Marcelo Tosatti <mtosatti@redhat.com>,
	"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
	Roland McGrath <roland@redhat.com>
To: Jan Kiszka <jan.kiszka@web.de>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mamba.nagafix.co.uk ([194.145.196.68]:48517 "EHLO
	mail.nagafix.co.uk" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
	with ESMTP id S1751249AbZJQNYs (ORCPT <rfc822;kvm@vger.kernel.org>);
	Sat, 17 Oct 2009 09:24:48 -0400
In-Reply-To: <4AA68C1F.1010704@web.de>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

Jan Kiszka wrote:
> Marcelo Tosatti wrote:
>> On Sun, Sep 06, 2009 at 02:50:00PM +0700, Antoine Martin wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> [snip]
>>>>> Is this an AMD host? 
>>>> Nope, Intel Core2, more host info :
>>> I have put all the relevant binaries and their config files here:
>>> http://uml.devloop.org.uk/kvmbug/
>>> Host kernel, qemu binary, kvm guest kernel and the UML binary I have
>>> used for bisecting.
>> Antoine,
>>
>> Works for me with master branch. Its likely this commit fixed it:
>>
>> commit 76d4622776d007de3f90f311591babc5f6ba6f39
>> Author: Avi Kivity <avi@redhat.com>
>> Date:   Tue Sep 1 12:03:25 2009 +0300
>>
>>     KVM: VMX: Check cpl before emulating debug register access
>>     
>>     Debug registers may only be accessed from cpl 0.  Unfortunately, vmx will
>>     code to emulate the instruction even though it was issued from guest
>>     userspace, possibly leading to an unexpected trap later.
>>
>> It will be included in 2.6.30 / 2.6.27 stable (.29 is not maintained
>> anymore).
> 
> Easy to check: Does the UML image still contain mov-to-db instructions?
> If not, this commit cannot make the difference.
I'd be happy to grep it if you give me the mov-to-db opcode.

Anyway, I am happy to report that upgrading the host to 2.6.31 prevents
the guests from crashing.

Antoine