From: Boris Ostrovsky <boris.ostrovsky@oracle.com>
To: "Slutz, Donald Christopher" <dslutz@verizon.com>
Cc: Kevin Tian <kevin.tian@intel.com>, Keir Fraser <keir@xen.org>,
Ian Campbell <ian.campbell@citrix.com>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
George Dunlap <George.Dunlap@eu.citrix.com>,
Eddie Dong <eddie.dong@intel.com>, Tim Deegan <tim@xen.org>,
"xen-devel@lists.xen.org" <xen-devel@lists.xen.org>,
Jan Beulich <jbeulich@suse.com>,
Aravind Gopalakrishnan <Aravind.Gopalakrishnan@amd.com>,
Jun Nakajima <jun.nakajima@intel.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>,
Ian Jackson <ian.jackson@eu.citrix.com>
Subject: Re: [PATCH v4 04/16] xen: Add is_vmware_port_enabled
Date: Fri, 19 Sep 2014 11:50:01 -0400 [thread overview]
Message-ID: <541C50A9.5000906@oracle.com> (raw)
In-Reply-To: <A3CD31A5D207064088A18AC2AF7B5DC6BA5CF3C6@MIA20725MBX891A.apps.tmrk.corp>
On 09/19/2014 09:24 AM, Slutz, Donald Christopher wrote:
> On 09/18/14 18:53, Boris Ostrovsky wrote:
>> On 09/17/2014 02:23 PM, Slutz, Donald Christopher wrote:
>>>
>>> I just spent some time checking and found out that even with the cpu
>>> reporting:
>>>
>>> (XEN) - Next-RIP Saved on #VMEXIT
>>>
>>> svm_nextrip_insn_length(v) is 0.
>> As I see it, this could happen for one of three reasons:
>> * !cpu_has_svm_nrips which can't be the case since (1) family 21
>> supports it and (2) you actually see in the log that it does have it
>> * next RIP is before current RIP which I think can't be the case
>> neither because we are not looking at branch instruction or something
>> like that.
>> * nextrip == rip. Which I don't see how it can be true.
>>
>> Can you check why svm_nextrip_insn_length(v) is 0?
>>
> What I have found out is that vmcb->nextrip is 0 in my testing. So
> next RIP is "before current RIP" by a very large amount.
Ah, I just realized --- you are in VMEXIT because of #GP intercept, not
because of IOIO intercept. And during #GP NRIP does not get updated (it
is set to zero).
Which means that you will always be doing decoding when you call
__get_instruction_length_from_list(), regardless of NRIP support.
>> But regardless of that, how do you expect your code to work on CPUs
>> that don't support NRIP? On those processors you *will* be decoding
>> the instruction twice.
>>
> The code "works" because the only info passed between the 2 decodes is
> the instruction length. This is used to limit the amount of the 2nd read.
>
> And because svm_nextrip_insn_length(v) is 0, all the testing I have done
> on the AMD server has been doing the decode of the instruction twice.
>
> If another CPU is changing the instructions as I read them (which is the
> security issue as I understand it), all I see happing is that "wrong"
> direction
> or size of request could happen, or it is a vmport request or not. All of
> which either report a #GP or do the vmport action. Since you can do the
> vmport action without changing the instruction bytes, I do not see how
> the double decode opens any security issue.
>
> I am not trying to say this is good. And as I replied to Jan, I am
> looking into
> a way to only do the single decode. The simplest of these is to just not
> use __get_instruction_length_from_list() and just state that on AMD the
> instruction length is 2. This is safe because I am only using this to
> decide
> much many bytes on the page to read. The 2nd page read read depends
> on finding a 0x66 prefix byte.
Can you make this statement (about instruction length being 2) for both
AMD and Intel and then possibly move some code into common HVM code?
Since we are intercepting #GP on both architectures only for VMware case
(right?) it seems that you can just say -- "let's look at the next 2
bytes and confirm that they are IN/OUT (with appropriate arguments)".
-boris
> I am just noticing that this also has the
> side
> effect of not injecting a #PF if the instruction is no longer readable
> (a side
> effect of using fetch() which uses hvm_fetch_from_guest_virt()).
next prev parent reply other threads:[~2014-09-19 15:50 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-11 18:36 [PATCH v4 00/16] Xen VMware tools support Don Slutz
2014-09-11 18:36 ` [PATCH v4 01/16] xen: Add support for VMware cpuid leaves Don Slutz
2014-09-11 19:49 ` Andrew Cooper
2014-09-12 9:49 ` Jan Beulich
2014-09-12 17:46 ` Don Slutz
2014-09-15 7:42 ` Jan Beulich
2014-09-17 15:41 ` Don Slutz
2014-09-12 21:26 ` Don Slutz
2014-09-12 12:37 ` Boris Ostrovsky
2014-09-12 17:50 ` Don Slutz
2014-09-11 18:36 ` [PATCH v4 02/16] tools: Add vmware_hw support Don Slutz
2014-09-11 21:09 ` Andrew Cooper
2014-09-16 16:20 ` Don Slutz
2014-09-11 18:36 ` [PATCH v4 03/16] vmware: Add VMware provided include files Don Slutz
2014-09-11 18:36 ` [PATCH v4 04/16] xen: Add is_vmware_port_enabled Don Slutz
2014-09-11 21:22 ` Andrew Cooper
2014-09-16 16:20 ` Don Slutz
2014-09-12 13:08 ` Boris Ostrovsky
2014-09-16 12:08 ` Slutz, Donald Christopher
2014-09-17 15:56 ` Boris Ostrovsky
2014-09-17 18:23 ` Slutz, Donald Christopher
2014-09-18 9:14 ` Jan Beulich
2014-09-19 12:48 ` Slutz, Donald Christopher
2014-09-18 22:53 ` Boris Ostrovsky
2014-09-19 13:24 ` Slutz, Donald Christopher
2014-09-19 15:50 ` Boris Ostrovsky [this message]
2014-09-19 17:00 ` Slutz, Donald Christopher
2014-09-11 18:36 ` [PATCH v4 05/16] tools: Add vmware_port support Don Slutz
2014-09-11 18:36 ` [PATCH v4 06/16] xen: Convert vmware_port to xentrace usage Don Slutz
2014-09-12 13:10 ` Boris Ostrovsky
2014-09-12 23:57 ` Don Slutz
2014-09-11 18:36 ` [PATCH v4 07/16] tools: " Don Slutz
2014-09-12 13:15 ` Boris Ostrovsky
2014-09-13 0:01 ` Don Slutz
2014-09-11 18:36 ` [PATCH v4 08/16] xen: Add limited support of VMware's hyper-call rpc Don Slutz
2014-09-12 13:37 ` Boris Ostrovsky
2014-09-12 14:27 ` Jan Beulich
2014-09-16 12:38 ` Slutz, Donald Christopher
2014-09-16 12:46 ` Jan Beulich
2014-09-16 13:47 ` Slutz, Donald Christopher
2014-09-16 13:17 ` Slutz, Donald Christopher
2014-09-11 18:36 ` [PATCH v4 09/16] tools: " Don Slutz
2014-09-11 18:36 ` [PATCH v4 10/16] Add VMware tool's triggers Don Slutz
2014-09-11 18:36 ` [PATCH v4 11/16] Add live migration of VMware's hyper-call RPC Don Slutz
2014-09-12 13:54 ` Boris Ostrovsky
2014-09-16 15:48 ` Don Slutz
2014-09-11 18:36 ` [PATCH v4 12/16] Add dump of HVM_SAVE_CODE(VMPORT) to xen-hvmctx Don Slutz
2014-09-11 18:36 ` [PATCH v4 13/16] Add xen-hvm-param Don Slutz
2014-09-11 18:36 ` [PATCH v4 14/16] Add xen-vmware-guestinfo Don Slutz
2014-09-11 18:36 ` [PATCH v4 15/16] Add xen-list-vmware-guestinfo Don Slutz
2014-09-11 18:36 ` [PATCH v4 16/16] Add xen-hvm-send-trigger Don Slutz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=541C50A9.5000906@oracle.com \
--to=boris.ostrovsky@oracle.com \
--cc=Aravind.Gopalakrishnan@amd.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=dslutz@verizon.com \
--cc=eddie.dong@intel.com \
--cc=ian.campbell@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=jbeulich@suse.com \
--cc=jun.nakajima@intel.com \
--cc=keir@xen.org \
--cc=kevin.tian@intel.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=suravee.suthikulpanit@amd.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).