From: Paolo Bonzini <pbonzini@redhat.com>
To: "Nadav Amit" <nadav.amit@gmail.com>, "Radim Krčmář" <rkrcmar@redhat.com>
Cc: Nadav Amit <namit@cs.technion.ac.il>,
joro@8bytes.org, kvm@vger.kernel.org
Subject: Re: [PATCH 3/5] KVM: x86: Decoding guest instructions which cross page boundary may fail
Date: Wed, 08 Oct 2014 11:02:00 +0200 [thread overview]
Message-ID: <5434FD88.6030804@redhat.com> (raw)
In-Reply-To: <75ED3032-A69F-4A79-B23B-3F5FCC8939E1@gmail.com>
Il 07/10/2014 11:15, Nadav Amit ha scritto:
>
> On Oct 6, 2014, at 11:50 PM, Radim Krčmář <rkrcmar@redhat.com> wrote:
>
>> 2014-10-03 01:10+0300, Nadav Amit:
>>> Once an instruction crosses a page boundary, the size read from the second page
>>> disregards the common case that part of the operand resides on the first page.
>>> As a result, fetch of long insturctions may fail, and thereby cause the
>>> decoding to fail as well.
>>>
>>> Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
>>> ---
>>
>> Good catch, was it thanks to an exhaustive test-suite?
>>
>> Reviewed-by: Radim Krčmář <rkrcmar@redhat.com>
>
> It was catcher in a test-environment. However, I keep wondering how it did not happen in real guest OS.
> I think it is due to pure luck, so I recommend to put it in -stable.
The shorter the immediate, the more you need an unlucky alignment for
this to happen. For example, say you have 10 byte instruction with 2
opcode bytes and one qword immediate.
1) Instruction at 0x1ffd, __do_insn_fetch_bytes is requested 8 bytes
instead of 7, but it accepts up to 15 - 3 = 12 bytes and everything works.
2) Instruction at 0x1ff7, __do_insn_fetch_bytes is requested 8 bytes
instead of 1. It accepts up to 15 - 9 = 6 bytes and fails.
Most emulated instructions have a 4-byte immediate or no immediate at all.
Fixes: 5cfc7e0f5e5e1adf998df94f8e36edaf5d30d38e
Paolo
next prev parent reply other threads:[~2014-10-08 9:02 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-02 22:10 [PATCH 0/5] KVM: x86: Various bug fixes Nadav Amit
2014-10-02 22:10 ` [PATCH 1/5] KVM: x86: Clear DR7.LE during task-switch Nadav Amit
2014-10-06 19:45 ` Radim Krčmář
2014-10-02 22:10 ` [PATCH 2/5] KVM: x86: Emulator performs code segment checks on read access Nadav Amit
2014-10-06 20:32 ` Radim Krčmář
2014-10-10 2:07 ` [PATCH v2 " Nadav Amit
2014-10-10 15:54 ` Radim Krčmář
2014-10-11 9:39 ` Paolo Bonzini
2014-10-12 6:57 ` Nadav Amit
2014-10-12 12:12 ` Paolo Bonzini
2014-10-12 23:15 ` Nadav Amit
2014-10-13 4:29 ` Paolo Bonzini
2014-10-13 11:31 ` Gleb Natapov
2014-10-19 16:07 ` Nadav Amit
2014-10-02 22:10 ` [PATCH 3/5] KVM: x86: Decoding guest instructions which cross page boundary may fail Nadav Amit
2014-10-06 20:50 ` Radim Krčmář
2014-10-07 9:15 ` Nadav Amit
2014-10-08 9:02 ` Paolo Bonzini [this message]
2014-10-02 22:10 ` [PATCH 4/5] KVM: vmx: Unavailable DR4/5 is checked before CPL Nadav Amit
2014-10-06 19:33 ` Radim Krčmář
2014-10-02 22:10 ` [PATCH 5/5] KVM: x86: Using TSC deadline may cause multiple interrupts by user writes Nadav Amit
2014-10-06 20:57 ` Radim Krčmář
2014-10-07 9:35 ` Nadav Amit
2014-10-08 10:06 ` Radim Krčmář
2014-10-08 10:07 ` Paolo Bonzini
2014-10-10 1:55 ` Nadav Amit
2014-10-10 9:45 ` Paolo Bonzini
2014-10-10 12:50 ` Radim Krčmář
2014-10-10 12:51 ` Nadav Amit
2014-10-10 13:55 ` Paolo Bonzini
2014-10-10 14:02 ` Paolo Bonzini
2014-10-08 9:29 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5434FD88.6030804@redhat.com \
--to=pbonzini@redhat.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
--cc=nadav.amit@gmail.com \
--cc=namit@cs.technion.ac.il \
--cc=rkrcmar@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).