[RFC,16/19] kvm: x86: Change the emulation context

Commit Message

Adalbert Lazăr June 16, 2017, 1:43 p.m. UTC

From: Mihai Dontu <mdontu@bitdefender.com>

Certain instructions that generate a #PF due to the unset read bit in
the corresponding spte, need to be emulated and passed a certain input
(usually 8 bytes in length).

This is used to hide injected code by the introspecting tool from
integrity checkers running inside the guest.

Signed-off-by: Mihai Dontu <mdontu@bitdefender.com>
---
 arch/x86/kvm/x86.c | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

Patch

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index b7d2a9901665..9465856a9e37 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4480,6 +4480,10 @@  static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt,
 				      struct x86_exception *exception)
 {
 	struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
+
+	if (vcpu->ctx_size)
+		return kvmi_patch_emul_instr(vcpu, val, bytes);
+
 	return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception);
 }
 
@@ -4487,7 +4491,12 @@  static int kvm_read_guest_phys_system(struct x86_emulate_ctxt *ctxt,
 		unsigned long addr, void *val, unsigned int bytes)
 {
 	struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
-	int r = kvm_vcpu_read_guest(vcpu, addr, val, bytes);
+	int r;
+
+	if (vcpu->ctx_size)
+		return kvmi_patch_emul_instr(vcpu, val, bytes);
+
+	r = kvm_vcpu_read_guest(vcpu, addr, val, bytes);
 
 	return r < 0 ? X86EMUL_IO_NEEDED : X86EMUL_CONTINUE;
 }
@@ -4773,6 +4782,11 @@  static int emulator_read_emulated(struct x86_emulate_ctxt *ctxt,
 				  unsigned int bytes,
 				  struct x86_exception *exception)
 {
+	struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt);
+
+	if (vcpu->ctx_size)
+		return kvmi_patch_emul_instr(vcpu, val, bytes);
+
 	return emulator_read_write(ctxt, addr, val, bytes,
 				   exception, &read_emultor);
 }