From: Sean Christopherson <seanjc@google.com>
To: Julian Stecklina <julian.stecklina@cyberus-technology.de>
Cc: "x86@kernel.org" <x86@kernel.org>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"hpa@zytor.com" <hpa@zytor.com>,
"mingo@redhat.com" <mingo@redhat.com>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"bp@alien8.de" <bp@alien8.de>,
"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"pbonzini@redhat.com" <pbonzini@redhat.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/2] KVM: x86: Fix partially uninitialized integer in emulate_pop
Date: Fri, 6 Oct 2023 00:56:58 +0000 [thread overview]
Message-ID: <ZR9bWv_Fogzx1zwv@google.com> (raw)
In-Reply-To: <1b0252b29c19cc08c41e1b58b26fbcf1f3fb06e4.camel@cyberus-technology.de>
On Thu, Oct 05, 2023, Julian Stecklina wrote:
> On Wed, 2023-10-04 at 08:07 -0700, Sean Christopherson wrote:
> > On Wed, Oct 04, 2023, Julian Stecklina wrote:
> > > Most code gives a pointer to an uninitialized unsigned long as dest in
> > > emulate_pop. len is usually the word width of the guest.
> > >
> > > If the guest runs in 16-bit or 32-bit modes, len will not cover the
> > > whole unsigned long and we end up with uninitialized data in dest.
> > >
> > > Looking through the callers of this function, the issue seems
> > > harmless, but given that none of this is performance critical, there
> > > should be no issue with just always initializing the whole value.
> > >
> > > Fix this by explicitly requiring a unsigned long pointer and
> > > initializing it with zero in all cases.
> >
> > NAK, this will break em_leave() as it will zero RBP regardless of how many
> > bytes
> > are actually supposed to be written. Specifically, KVM would incorrectly
> > clobber
> > RBP[31:16] if LEAVE is executed with a 16-bit stack.
>
> Thanks, Sean! Great catch. I didn't see this. Is there already a test suite for
> this?
No, I'm just excessively paranoid when it comes to the emulator :-)
> > I generally like defense-in-depth approaches, but zeroing data that the caller
> > did not ask to be written is not a net positive.
>
> I'll rewrite the patch to just initialize variables where they are currently
> not. This should be a bit more conservative and have less risk of breaking
> anything.
In all honesty, I wouldn't bother. Trying to harden the emulator code for things
like this will be a never ending game of whack-a-mole. The operands, of which
there are many, have multiple unions with fields of varying size, and all kinds
of subtle rules/logic for which field is used, how many bytes within a given field
are valid, etc.
It pains me a bit to say this, but I think we're best off leaving the emulator
as-is, and relying on things like fancy compiler features, UBSAN, and fuzzers to
detect any lurking bugs.
struct operand {
enum { OP_REG, OP_MEM, OP_MEM_STR, OP_IMM, OP_XMM, OP_MM, OP_NONE } type;
unsigned int bytes;
unsigned int count;
union {
unsigned long orig_val;
u64 orig_val64;
};
union {
unsigned long *reg;
struct segmented_address {
ulong ea;
unsigned seg;
} mem;
unsigned xmm;
unsigned mm;
} addr;
union {
unsigned long val;
u64 val64;
char valptr[sizeof(sse128_t)];
sse128_t vec_val;
u64 mm_val;
void *data;
};
};
next prev parent reply other threads:[~2023-10-06 1:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-04 13:38 [PATCH 1/2] KVM: x86: Fix partially uninitialized integer in emulate_pop Julian Stecklina
2023-10-04 13:38 ` [PATCH 2/2] KVM: x86: rename push to emulate_push for consistency Julian Stecklina
2023-10-04 15:13 ` Sean Christopherson
2023-10-04 15:07 ` [PATCH 1/2] KVM: x86: Fix partially uninitialized integer in emulate_pop Sean Christopherson
2023-10-05 13:48 ` Julian Stecklina
2023-10-06 0:56 ` Sean Christopherson [this message]
2023-10-06 9:04 ` Julian Stecklina
2023-10-09 9:20 ` [PATCH v2 " Julian Stecklina
2023-10-09 9:20 ` [PATCH v2 2/2] KVM: x86: rename push to emulate_push for consistency Julian Stecklina
2024-02-09 0:22 ` [PATCH v2 1/2] KVM: x86: Fix partially uninitialized integer in emulate_pop Sean Christopherson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZR9bWv_Fogzx1zwv@google.com \
--to=seanjc@google.com \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=julian.stecklina@cyberus-technology.de \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox