From: Mathias Krause <minipli@grsecurity.net>
To: Chao Gao <chao.gao@intel.com>, kvm@vger.kernel.org
Cc: pbonzini@redhat.com, seanjc@google.com
Subject: Re: [PATCH 1/2] x86/eventinj: Use global asm label for nested NMI IP address verification
Date: Tue, 16 Sep 2025 12:10:46 +0200 [thread overview]
Message-ID: <a8c4d415-a23b-46f6-89fc-28facaba0a44@grsecurity.net> (raw)
In-Reply-To: <20250915144936.113996-2-chao.gao@intel.com>
Am 15.09.25 um 16:49 schrieb Chao Gao:
> Use a global asm label to get the expected IP address for nested NMI
> interception instead of reading a hardcoded offset from the stack.
>
> the NMI test in eventinj.c verifies that a nested NMI occurs immediately at
> the return address (IP register) in the IRET frame, as IRET opens the
> NMI window. Currently, nested_nmi_iret_isr() reads the return address
> using a magic offset (iret_stack[-3]), which is unclear and may break if
> more values are pushed to the "iret_stack".
>
> To improve readability, add a global 'ip_after_iret' label for the expected
> return address, push it to the IRET frame, and verify it matches the
> interrupted address in the nested NMI handler.
>
> Signed-off-by: Chao Gao <chao.gao@intel.com>
> ---
> x86/eventinj.c | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/x86/eventinj.c b/x86/eventinj.c
> index 6fbb2d0f..ec8a5ef1 100644
> --- a/x86/eventinj.c
> +++ b/x86/eventinj.c
> @@ -127,12 +127,13 @@ static void nmi_isr(struct ex_regs *r)
> }
>
> unsigned long *iret_stack;
> +extern char ip_after_iret[];
>
> static void nested_nmi_iret_isr(struct ex_regs *r)
> {
> printf("Nested NMI isr running rip=%lx\n", r->rip);
>
> - if (r->rip == iret_stack[-3])
> + if (r->rip == (unsigned long)ip_after_iret)
This change basically eliminates the need for the global
'ip_after_iret', it can be local to nmi_iret_isr() now.
> test_count++;
> }
>
> @@ -156,11 +157,11 @@ asm("do_iret:"
> "mov %cs, %ecx \n\t"
> "push"W" %"R "cx \n\t"
> #ifndef __x86_64__
> - "push"W" $2f \n\t"
> + "push"W" $ip_after_iret \n\t"
>
> "cmpb $0, no_test_device\n\t" // see if need to flush
> #else
> - "leaq 2f(%rip), %rbx \n\t"
> + "leaq ip_after_iret(%rip), %rbx \n\t"
> "pushq %rbx \n\t"
>
> "mov no_test_device(%rip), %bl \n\t"
> @@ -170,7 +171,9 @@ asm("do_iret:"
> "outl %eax, $0xe4 \n\t" // flush page
> "1: \n\t"
> "iret"W" \n\t"
> - "2: xchg %"R "dx, %"R "sp \n\t" // point to old stack
> + ".global ip_after_iret \n\t"
> + "ip_after_iret: \n\t"
> + "xchg %"R "dx, %"R "sp \n\t" // point to old stack
> "ret\n\t"
> );
>
next prev parent reply other threads:[~2025-09-16 10:10 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-15 14:49 [kvm-unit-tests PATCH 0/2] Fix triple fault in eventinj test Chao Gao
2025-09-15 14:49 ` [PATCH 1/2] x86/eventinj: Use global asm label for nested NMI IP address verification Chao Gao
2025-09-16 10:10 ` Mathias Krause [this message]
2025-10-15 1:47 ` Chao Gao
2025-10-15 4:29 ` Mathias Krause
2025-09-15 14:49 ` [PATCH 2/2] x86/eventinj: Push SP to IRET frame Chao Gao
2025-09-16 10:21 ` Mathias Krause
2025-10-15 1:49 ` Chao Gao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a8c4d415-a23b-46f6-89fc-28facaba0a44@grsecurity.net \
--to=minipli@grsecurity.net \
--cc=chao.gao@intel.com \
--cc=kvm@vger.kernel.org \
--cc=pbonzini@redhat.com \
--cc=seanjc@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox