From mboxrd@z Thu Jan  1 00:00:00 1970
From: Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH 3/5] KVM: x86: Decoding guest instructions which cross
 page boundary may fail
Date: Wed, 08 Oct 2014 11:02:00 +0200
Message-ID: <5434FD88.6030804@redhat.com>
References: <1412287806-16016-1-git-send-email-namit@cs.technion.ac.il> <1412287806-16016-4-git-send-email-namit@cs.technion.ac.il> <20141006205056.GB4989@potion.brq.redhat.com> <75ED3032-A69F-4A79-B23B-3F5FCC8939E1@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: QUOTED-PRINTABLE
Cc: Nadav Amit <namit@cs.technion.ac.il>, joro@8bytes.org,
	kvm@vger.kernel.org
To: Nadav Amit <nadav.amit@gmail.com>,
	=?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mx1.redhat.com ([209.132.183.28]:64631 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1755213AbaJHJCP (ORCPT <rfc822;kvm@vger.kernel.org>);
	Wed, 8 Oct 2014 05:02:15 -0400
In-Reply-To: <75ED3032-A69F-4A79-B23B-3F5FCC8939E1@gmail.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

Il 07/10/2014 11:15, Nadav Amit ha scritto:
>=20
> On Oct 6, 2014, at 11:50 PM, Radim Kr=C4=8Dm=C3=A1=C5=99 <rkrcmar@red=
hat.com> wrote:
>=20
>> 2014-10-03 01:10+0300, Nadav Amit:
>>> Once an instruction crosses a page boundary, the size read from the=
 second page
>>> disregards the common case that part of the operand resides on the =
first page.
>>> As a result, fetch of long insturctions may fail, and thereby cause=
 the
>>> decoding to fail as well.
>>>
>>> Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
>>> ---
>>
>> Good catch, was it thanks to an exhaustive test-suite?
>>
>> Reviewed-by: Radim Kr=C4=8Dm=C3=A1=C5=99 <rkrcmar@redhat.com>
>=20
> It was catcher in a test-environment. However, I keep wondering how i=
t did not happen in real guest OS.
> I think it is due to pure luck, so I recommend to put it in -stable.

The shorter the immediate, the more you need an unlucky alignment for
this to happen.  For example, say you have 10 byte instruction with 2
opcode bytes and one qword immediate.

1) Instruction at 0x1ffd, __do_insn_fetch_bytes is requested 8 bytes
instead of 7, but it accepts up to 15 - 3 =3D 12 bytes and everything w=
orks.

2) Instruction at 0x1ff7, __do_insn_fetch_bytes is requested 8 bytes
instead of 1.  It accepts up to 15 - 9 =3D 6 bytes and fails.

Most emulated instructions have a 4-byte immediate or no immediate at a=
ll.

=46ixes: 5cfc7e0f5e5e1adf998df94f8e36edaf5d30d38e

Paolo