* [PATCH] KVM: x86: Fix the NULL pointer parameter in check_cr_write()
@ 2017-09-18 10:45 Yu Zhang
2017-09-18 12:19 ` David Hildenbrand
0 siblings, 1 reply; 6+ messages in thread
From: Yu Zhang @ 2017-09-18 10:45 UTC (permalink / raw)
To: kvm; +Cc: linux-kernel, pbonzini, jmattson, rkrcmar, tglx, mingo, hpa
Routine check_cr_write() will trigger emulator_get_cpuid()->
kvm_cpuid() to get maxphyaddr, and NULL is passed as values
for ebx/ecx/edx. This is problematic because kvm_cpuid() will
dereference these pointers.
Fixes: d1cd3ce90044 ("KVM: MMU: check guest CR3 reserved bits based on its physical address width.")
Reported-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Yu Zhang <yu.c.zhang@linux.intel.com>
---
arch/x86/kvm/emulate.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index 16bf665..15f527b 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -4102,10 +4102,12 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
ctxt->ops->get_msr(ctxt, MSR_EFER, &efer);
if (efer & EFER_LMA) {
u64 maxphyaddr;
- u32 eax = 0x80000008;
+ u32 eax, ebx, ecx, edx;
- if (ctxt->ops->get_cpuid(ctxt, &eax, NULL, NULL,
- NULL, false))
+ eax = 0x80000008;
+ ecx = 0;
+ if (ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx,
+ &edx, false))
maxphyaddr = eax & 0xff;
else
maxphyaddr = 36;
--
2.5.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH] KVM: x86: Fix the NULL pointer parameter in check_cr_write() 2017-09-18 10:45 [PATCH] KVM: x86: Fix the NULL pointer parameter in check_cr_write() Yu Zhang @ 2017-09-18 12:19 ` David Hildenbrand 2017-09-18 15:56 ` Jim Mattson 0 siblings, 1 reply; 6+ messages in thread From: David Hildenbrand @ 2017-09-18 12:19 UTC (permalink / raw) To: Yu Zhang, kvm; +Cc: linux-kernel, pbonzini, jmattson, rkrcmar, tglx, mingo, hpa On 18.09.2017 12:45, Yu Zhang wrote: > Routine check_cr_write() will trigger emulator_get_cpuid()-> > kvm_cpuid() to get maxphyaddr, and NULL is passed as values > for ebx/ecx/edx. This is problematic because kvm_cpuid() will > dereference these pointers. > > Fixes: d1cd3ce90044 ("KVM: MMU: check guest CR3 reserved bits based on its physical address width.") > Reported-by: Jim Mattson <jmattson@google.com> > Signed-off-by: Yu Zhang <yu.c.zhang@linux.intel.com> > --- > arch/x86/kvm/emulate.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c > index 16bf665..15f527b 100644 > --- a/arch/x86/kvm/emulate.c > +++ b/arch/x86/kvm/emulate.c > @@ -4102,10 +4102,12 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) > ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); > if (efer & EFER_LMA) { > u64 maxphyaddr; > - u32 eax = 0x80000008; > + u32 eax, ebx, ecx, edx; > > - if (ctxt->ops->get_cpuid(ctxt, &eax, NULL, NULL, > - NULL, false)) > + eax = 0x80000008; > + ecx = 0; > + if (ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, > + &edx, false)) > maxphyaddr = eax & 0xff; > else > maxphyaddr = 36; > Not sure if fixing kvm_cpuid() would be better. Reviewed-by: David Hildenbrand <david@redhat.com> -- Thanks, David ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] KVM: x86: Fix the NULL pointer parameter in check_cr_write() 2017-09-18 12:19 ` David Hildenbrand @ 2017-09-18 15:56 ` Jim Mattson 2017-09-20 6:35 ` Yu Zhang 0 siblings, 1 reply; 6+ messages in thread From: Jim Mattson @ 2017-09-18 15:56 UTC (permalink / raw) To: David Hildenbrand Cc: Yu Zhang, kvm list, LKML, Paolo Bonzini, Radim Krčmář, Thomas Gleixner, Ingo Molnar, H . Peter Anvin kvm_cpuid ultimately wants to write all four of the GPRs passed in by reference. I don't see any advantage to allowing some of these pointers to be NULL. Reviewed-by: Jim Mattson <jmattson@google.com> On Mon, Sep 18, 2017 at 5:19 AM, David Hildenbrand <david@redhat.com> wrote: > On 18.09.2017 12:45, Yu Zhang wrote: >> Routine check_cr_write() will trigger emulator_get_cpuid()-> >> kvm_cpuid() to get maxphyaddr, and NULL is passed as values >> for ebx/ecx/edx. This is problematic because kvm_cpuid() will >> dereference these pointers. >> >> Fixes: d1cd3ce90044 ("KVM: MMU: check guest CR3 reserved bits based on its physical address width.") >> Reported-by: Jim Mattson <jmattson@google.com> >> Signed-off-by: Yu Zhang <yu.c.zhang@linux.intel.com> >> --- >> arch/x86/kvm/emulate.c | 8 +++++--- >> 1 file changed, 5 insertions(+), 3 deletions(-) >> >> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c >> index 16bf665..15f527b 100644 >> --- a/arch/x86/kvm/emulate.c >> +++ b/arch/x86/kvm/emulate.c >> @@ -4102,10 +4102,12 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) >> ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); >> if (efer & EFER_LMA) { >> u64 maxphyaddr; >> - u32 eax = 0x80000008; >> + u32 eax, ebx, ecx, edx; >> >> - if (ctxt->ops->get_cpuid(ctxt, &eax, NULL, NULL, >> - NULL, false)) >> + eax = 0x80000008; >> + ecx = 0; >> + if (ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, >> + &edx, false)) >> maxphyaddr = eax & 0xff; >> else >> maxphyaddr = 36; >> > > Not sure if fixing kvm_cpuid() would be better. > > Reviewed-by: David Hildenbrand <david@redhat.com> > > -- > > Thanks, > > David ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] KVM: x86: Fix the NULL pointer parameter in check_cr_write() 2017-09-18 15:56 ` Jim Mattson @ 2017-09-20 6:35 ` Yu Zhang 2017-09-20 8:13 ` Paolo Bonzini 0 siblings, 1 reply; 6+ messages in thread From: Yu Zhang @ 2017-09-20 6:35 UTC (permalink / raw) To: Jim Mattson, David Hildenbrand, Paolo Bonzini Cc: kvm list, LKML, Radim Krčmář, Thomas Gleixner, Ingo Molnar, H . Peter Anvin On 9/18/2017 11:56 PM, Jim Mattson wrote: > kvm_cpuid ultimately wants to write all four of the GPRs passed in by > reference. I don't see any advantage to allowing some of these > pointers to be NULL. Thanks for your comments, Jim & David. 2 reasons I did not choose to change kvm_cpuid(): 1> like Jim's comments, kvm_cpuid() will eventually write the *eax - *edx no matter a cpuid entry is found or not; 2> currently, return value of kvm_cpuid() is either true when an entry is found or false otherwise. We can change kvm_cpuid() to check the pointers of GPRs against NULL and return false immediately. Then the false value would have 2 different meanings - entry not found, or invalid params. Paolo, any suggestion? :-) Thanks Yu > Reviewed-by: Jim Mattson <jmattson@google.com> > > On Mon, Sep 18, 2017 at 5:19 AM, David Hildenbrand <david@redhat.com> wrote: >> On 18.09.2017 12:45, Yu Zhang wrote: >>> Routine check_cr_write() will trigger emulator_get_cpuid()-> >>> kvm_cpuid() to get maxphyaddr, and NULL is passed as values >>> for ebx/ecx/edx. This is problematic because kvm_cpuid() will >>> dereference these pointers. >>> >>> Fixes: d1cd3ce90044 ("KVM: MMU: check guest CR3 reserved bits based on its physical address width.") >>> Reported-by: Jim Mattson <jmattson@google.com> >>> Signed-off-by: Yu Zhang <yu.c.zhang@linux.intel.com> >>> --- >>> arch/x86/kvm/emulate.c | 8 +++++--- >>> 1 file changed, 5 insertions(+), 3 deletions(-) >>> >>> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c >>> index 16bf665..15f527b 100644 >>> --- a/arch/x86/kvm/emulate.c >>> +++ b/arch/x86/kvm/emulate.c >>> @@ -4102,10 +4102,12 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) >>> ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); >>> if (efer & EFER_LMA) { >>> u64 maxphyaddr; >>> - u32 eax = 0x80000008; >>> + u32 eax, ebx, ecx, edx; >>> >>> - if (ctxt->ops->get_cpuid(ctxt, &eax, NULL, NULL, >>> - NULL, false)) >>> + eax = 0x80000008; >>> + ecx = 0; >>> + if (ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, >>> + &edx, false)) >>> maxphyaddr = eax & 0xff; >>> else >>> maxphyaddr = 36; >>> >> Not sure if fixing kvm_cpuid() would be better. >> >> Reviewed-by: David Hildenbrand <david@redhat.com> >> >> -- >> >> Thanks, >> >> David ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] KVM: x86: Fix the NULL pointer parameter in check_cr_write() 2017-09-20 6:35 ` Yu Zhang @ 2017-09-20 8:13 ` Paolo Bonzini 2017-09-20 8:27 ` Yu Zhang 0 siblings, 1 reply; 6+ messages in thread From: Paolo Bonzini @ 2017-09-20 8:13 UTC (permalink / raw) To: Yu Zhang, Jim Mattson, David Hildenbrand Cc: kvm list, LKML, Radim Krčmář, Thomas Gleixner, Ingo Molnar, H . Peter Anvin On 20/09/2017 08:35, Yu Zhang wrote: > > 2 reasons I did not choose to change kvm_cpuid(): 1> like Jim's > comments, kvm_cpuid() will eventually write the *eax - *edx no > matter a cpuid entry is found or not; 2> currently, return value of > kvm_cpuid() is either true when an entry is found or false otherwise. > We can change kvm_cpuid() to check the pointers of GPRs against NULL > and return false immediately. Then the false value would have 2 > different meanings - entry not found, or invalid params. > > Paolo, any suggestion? :-) Radim, has already sent this version to Linus. :) Paolo ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] KVM: x86: Fix the NULL pointer parameter in check_cr_write() 2017-09-20 8:13 ` Paolo Bonzini @ 2017-09-20 8:27 ` Yu Zhang 0 siblings, 0 replies; 6+ messages in thread From: Yu Zhang @ 2017-09-20 8:27 UTC (permalink / raw) To: Paolo Bonzini, Jim Mattson, David Hildenbrand Cc: kvm list, LKML, Radim Krčmář, Thomas Gleixner, Ingo Molnar, H . Peter Anvin On 9/20/2017 4:13 PM, Paolo Bonzini wrote: > On 20/09/2017 08:35, Yu Zhang wrote: >> 2 reasons I did not choose to change kvm_cpuid(): 1> like Jim's >> comments, kvm_cpuid() will eventually write the *eax - *edx no >> matter a cpuid entry is found or not; 2> currently, return value of >> kvm_cpuid() is either true when an entry is found or false otherwise. >> We can change kvm_cpuid() to check the pointers of GPRs against NULL >> and return false immediately. Then the false value would have 2 >> different meanings - entry not found, or invalid params. >> >> Paolo, any suggestion? :-) > Radim, has already sent this version to Linus. :) Got it. Thanks. :) Yu > Paolo > ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-09-20 8:50 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-09-18 10:45 [PATCH] KVM: x86: Fix the NULL pointer parameter in check_cr_write() Yu Zhang 2017-09-18 12:19 ` David Hildenbrand 2017-09-18 15:56 ` Jim Mattson 2017-09-20 6:35 ` Yu Zhang 2017-09-20 8:13 ` Paolo Bonzini 2017-09-20 8:27 ` Yu Zhang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox