From mboxrd@z Thu Jan  1 00:00:00 1970
From: Nadav Amit <nadav.amit@gmail.com>
Subject: Re: [PATCH v2 2/5] KVM: x86: Emulator performs code segment checks
 on read access
Date: Mon, 13 Oct 2014 02:15:43 +0300
Message-ID: <543B0B9F.9060708@gmail.com>
References: <20141006203238.GA4989@potion.brq.redhat.com> <1412906870-4322-1-git-send-email-namit@cs.technion.ac.il> <20141010155455.GA17902@potion.brq.redhat.com> <5438FAD6.3010805@redhat.com> <D83A4CBD-59F9-4277-BB62-6AEDDEEE3BC8@gmail.com> <543A7042.2050507@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: QUOTED-PRINTABLE
Cc: =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= <rkrcmar@redhat.com>,
	Nadav Amit <namit@cs.technion.ac.il>, kvm@vger.kernel.org
To: Paolo Bonzini <pbonzini@redhat.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-wg0-f50.google.com ([74.125.82.50]:41754 "EHLO
	mail-wg0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752340AbaJLXPs (ORCPT <rfc822;kvm@vger.kernel.org>);
	Sun, 12 Oct 2014 19:15:48 -0400
Received: by mail-wg0-f50.google.com with SMTP id a1so7327336wgh.21
        for <kvm@vger.kernel.org>; Sun, 12 Oct 2014 16:15:47 -0700 (PDT)
In-Reply-To: <543A7042.2050507@redhat.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>



On 10/12/14 3:12 PM, Paolo Bonzini wrote:
> Il 12/10/2014 08:57, Nadav Amit ha scritto:
>> Looks good. I=E2=80=99ll give it a try but it is hard to give a defi=
nitive
>> answer, since the emulator is still bug-ridden.
>=20
> Yes, we need to write unit tests for this, especially the conforming
> case.  A bit of a pain to get kvm-unit-tests in ring 3 (access.flat
> does it), but I'll give it a shot.
>=20
> Paolo
>=20

I think the problem might be even more fundamental.
According to the SDM, the privilege level checks (CPL/DPL/RPL) are only=
 performed when the segment is loaded; I see no reference to privilege =
checks when data is accessed.
You should be able to load a segment with DPL=3D0 while you are in CPL=3D=
0, then change CPL to 3 and still access the segment (obviously, it is =
not the best practice).

In that case, all the privilege checks in __linearize are redundant and=
 for some extent incorrect.
Obviously, I am afraid to submit a patch that removes them, since if th=
e privilege checks of __linearize are needed in certain case, this may =
introduce security problem.

Do you agree?

Nadav