Message ID | 20190605195729.GA25699@dnote (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [v3,1/2] kvm: vmx: fix limit checking in get_vmx_mem_address() | expand |
On Wed, Jun 05, 2019 at 10:57:29PM +0300, Eugene Korenevsky wrote: > Intel SDM vol. 3, 5.3: > The processor causes a > general-protection exception (or, if the segment is SS, a stack-fault > exception) any time an attempt is made to access the following addresses > in a segment: > - A byte at an offset greater than the effective limit > - A word at an offset greater than the (effective-limit – 1) > - A doubleword at an offset greater than the (effective-limit – 3) > - A quadword at an offset greater than the (effective-limit – 7) > > Therefore, the generic limit checking error condition must be > > exn = (off > limit + 1 - access_len) = (off + access_len - 1 > limit) > > but not > > exn = (off + access_len > limit) > > as for now. > > Note: access length is incorrectly set to sizeof(u64). This will be fixed in > the subsequent patch. > > Signed-off-by: Eugene Korenevsky <ekorenevsky@gmail.com> > --- > Changes in v3 since v2: fixed limit checking condition to avoid underflow; > added note > > arch/x86/kvm/vmx/nested.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c > index f1a69117ac0f..93df72597c72 100644 > --- a/arch/x86/kvm/vmx/nested.c > +++ b/arch/x86/kvm/vmx/nested.c > @@ -4115,7 +4115,7 @@ int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification, > */ > if (!(s.base == 0 && s.limit == 0xffffffff && > ((s.type & 8) || !(s.type & 4)))) > - exn = exn || (off + sizeof(u64) > s.limit); > + exn = exn || (off + sizeof(u64) - 1 > s.limit); This still has a wrap bug in 32-bit KVM, e.g. off == 0xffffffff will incorrectly pass the limit check due to wrapping its unsigned long. > } > if (exn) { > kvm_queue_exception_e(vcpu, > -- > 2.21.0 >
diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c index f1a69117ac0f..93df72597c72 100644 --- a/arch/x86/kvm/vmx/nested.c +++ b/arch/x86/kvm/vmx/nested.c @@ -4115,7 +4115,7 @@ int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification, */ if (!(s.base == 0 && s.limit == 0xffffffff && ((s.type & 8) || !(s.type & 4)))) - exn = exn || (off + sizeof(u64) > s.limit); + exn = exn || (off + sizeof(u64) - 1 > s.limit); } if (exn) { kvm_queue_exception_e(vcpu,
Intel SDM vol. 3, 5.3: The processor causes a general-protection exception (or, if the segment is SS, a stack-fault exception) any time an attempt is made to access the following addresses in a segment: - A byte at an offset greater than the effective limit - A word at an offset greater than the (effective-limit – 1) - A doubleword at an offset greater than the (effective-limit – 3) - A quadword at an offset greater than the (effective-limit – 7) Therefore, the generic limit checking error condition must be exn = (off > limit + 1 - access_len) = (off + access_len - 1 > limit) but not exn = (off + access_len > limit) as for now. Note: access length is incorrectly set to sizeof(u64). This will be fixed in the subsequent patch. Signed-off-by: Eugene Korenevsky <ekorenevsky@gmail.com> --- Changes in v3 since v2: fixed limit checking condition to avoid underflow; added note arch/x86/kvm/vmx/nested.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)