From mboxrd@z Thu Jan 1 00:00:00 1970 From: Avi Kivity Subject: Re: [PATCH] VMX: Fix and improve guest state validity checks Date: Thu, 13 May 2010 09:24:04 +0300 Message-ID: <4BEB9B04.4060302@redhat.com> References: <1273596761-29923-1-git-send-email-m.gamal005@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: mtosatti@redhat.com, kvm@vger.kernel.org To: Mohammed Gamal Return-path: Received: from mx1.redhat.com ([209.132.183.28]:49283 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751631Ab0EMGYL (ORCPT ); Thu, 13 May 2010 02:24:11 -0400 In-Reply-To: <1273596761-29923-1-git-send-email-m.gamal005@gmail.com> Sender: kvm-owner@vger.kernel.org List-ID: On 05/11/2010 07:52 PM, Mohammed Gamal wrote: > - Add 's' and 'g' field checks on segment registers > - Correct SS checks for request and descriptor privilege levels > > Signed-off-by: Mohammed Gamal > --- > arch/x86/kvm/vmx.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++---- > 1 files changed, 67 insertions(+), 6 deletions(-) > > diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c > index 777e00d..9805c2a 100644 > --- a/arch/x86/kvm/vmx.c > +++ b/arch/x86/kvm/vmx.c > @@ -2121,16 +2121,30 @@ static bool stack_segment_valid(struct kvm_vcpu *vcpu) > vmx_get_segment(vcpu,&ss, VCPU_SREG_SS); > ss_rpl = ss.selector& SELECTOR_RPL_MASK; > > - if (ss.unusable) > + if (ss.dpl != ss_rpl) /* DPL != RPL */ > + return false; > + > + if (ss.unusable) /* Short-circuit */ > return true; > If ss.unusable, do the dpl and rpl have any meaning? > if (!ss.present) > return false; > + if (ss.limit& 0xfff00000) { > + if ((ss.limit& 0xfff)< 0xfff) > + return false; > + if (!ss.g) > + return false; > + } else { > + if ((ss.limit& 0xfff) == 0xfff) > + return false; > + if (ss.g) > + return false; > + } > There is no architectural way to break this. That is, without virtualization, there is no way a real cpu will ever have a limit of 0x12345678. We need to distinguish between big real mode and real mode that can be virtualized using vm86, but we don't need to consider impossible setups. > @@ -2143,8 +2157,15 @@ static bool data_segment_valid(struct kvm_vcpu *vcpu, int seg) > vmx_get_segment(vcpu,&var, seg); > rpl = var.selector& SELECTOR_RPL_MASK; > > - if (var.unusable) > + if (var.unusable) /* Short-circuit */ > return true; > + if (!(var.type& AR_TYPE_ACCESSES_MASK)) > + return false; > Again, there is no architectural way for a segment not to have the accessed bit set. > + if (var.type& AR_TYPE_CODE_MASK) { > + if (!(var.type& AR_TYPE_READABLE_MASK)) > + return false; > + } > About this, I'm not sure. > + > if (!var.s) > return false; > if (!var.present) > @@ -2154,6 +2175,18 @@ static bool data_segment_valid(struct kvm_vcpu *vcpu, int seg) > return false; > } > > + if (var.limit& 0xfff00000) { > + if ((var.limit& 0xfff)< 0xfff) > + return false; > + if (!var.g) > + return false; > + } else { > + if ((var.limit& 0xfff) == 0xfff) > + return false; > + if (var.g) > + return false; > + } > Even disregarding the incorrectness, you shouldn't duplicate code like this. > @@ -2192,6 +2240,20 @@ static bool ldtr_valid(struct kvm_vcpu *vcpu) > return false; > if (!ldtr.present) > return false; > + if (ldtr.s) > + return false; > Architecturally impossible. -- Do not meddle in the internals of kernels, for they are subtle and quick to panic.