From patchwork Thu May  7 08:44:02 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Xiao Guangrong <guangrong.xiao@linux.intel.com>
X-Patchwork-Id: 6354671
Return-Path: <kvm-owner@kernel.org>
X-Original-To: patchwork-kvm@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 27A93BEEE1
	for <patchwork-kvm@patchwork.kernel.org>;
	Thu,  7 May 2015 08:47:38 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 609AB2038C
	for <patchwork-kvm@patchwork.kernel.org>;
	Thu,  7 May 2015 08:47:37 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 737EA20351
	for <patchwork-kvm@patchwork.kernel.org>;
	Thu,  7 May 2015 08:47:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751935AbbEGIrZ (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Thu, 7 May 2015 04:47:25 -0400
Received: from mga14.intel.com ([192.55.52.115]:26150 "EHLO mga14.intel.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751030AbbEGIrW (ORCPT <rfc822;kvm@vger.kernel.org>);
	Thu, 7 May 2015 04:47:22 -0400
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
	by fmsmga103.fm.intel.com with ESMTP; 07 May 2015 01:47:21 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.13,384,1427785200"; d="scan'208";a="722092952"
Received: from xiao.sh.intel.com ([10.239.159.86])
	by fmsmga002.fm.intel.com with ESMTP; 07 May 2015 01:47:20 -0700
From: Xiao Guangrong <guangrong.xiao@linux.intel.com>
To: pbonzini@redhat.com
Cc: gleb@kernel.org, mtosatti@redhat.com, kvm@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	Xiao Guangrong <guangrong.xiao@linux.intel.com>
Subject: [PATCH] check smap and !cr0.wp
Date: Thu,  7 May 2015 16:44:02 +0800
Message-Id: <1430988242-7186-1-git-send-email-guangrong.xiao@linux.intel.com>
X-Mailer: git-send-email 2.1.0
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

This test case is used to produce the bug that:

KVM may turn a user page to a kernel page when kernel writes a readonly
user page if CR0.WP = 1. This shadow page entry will be reused after
SMAP is enabled so that kernel is allowed to access this user page

Signed-off-by: Xiao Guangrong <guangrong.xiao@linux.intel.com>
---
 x86/smap.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/x86/smap.c b/x86/smap.c
index 042c5aa..66f97b8 100644
--- a/x86/smap.c
+++ b/x86/smap.c
@@ -48,6 +48,7 @@ asm ("pf_tss:\n"
 
 #define USER_BASE	(1 << 24)
 #define USER_VAR(v)	(*((__typeof__(&(v))) (((unsigned long)&v) + USER_BASE)))
+#define USER_ADDR(v)   ((void *)((unsigned long)(&v) + USER_BASE))
 
 static void init_test(int i)
 {
@@ -58,6 +59,29 @@ static void init_test(int i)
 	}
 }
 
+static void check_smap_nowp(void)
+{
+	test = 0x99;
+
+	*get_pte(phys_to_virt(read_cr3()), USER_ADDR(test)) &= ~PTE_WRITE;
+
+	write_cr4(read_cr4() & ~X86_CR4_SMAP);
+	write_cr0(read_cr0() & ~X86_CR0_WP);
+	clac();
+	write_cr3(read_cr3());
+
+	init_test(0);
+	USER_VAR(test) = 0x99;
+	report("write from user page with SMAP=0, AC=0, WP=0, PTE.U=1 && PTE.W=0", pf_count == 0);
+
+	write_cr4(read_cr4() | X86_CR4_SMAP);
+	write_cr3(read_cr3());
+
+	init_test(0);
+	(void)USER_VAR(test);
+	report("read from user page with SMAP=1, AC=0, WP=0, PTE.U=1 && PTE.W=0", pf_count == 1 && save == 0x99);
+}
+
 int main(int ac, char **av)
 {
 	unsigned long i;
@@ -150,6 +174,8 @@ int main(int ac, char **av)
 		report("executing on user page with AC=0", pf_count == 0);
 	}
 
+	check_smap_nowp();
+
 	// TODO: implicit kernel access from ring 3 (e.g. int)
 
 	return report_summary();