From patchwork Wed Jun  7 08:31:34 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Wanpeng Li <kernellwp@gmail.com>
X-Patchwork-Id: 9770873
Return-Path: <kvm-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	B63C46034B for <patchwork-kvm@patchwork.kernel.org>;
	Wed,  7 Jun 2017 08:31:40 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9CF51284F1
	for <patchwork-kvm@patchwork.kernel.org>;
	Wed,  7 Jun 2017 08:31:40 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 911EF2851E; Wed,  7 Jun 2017 08:31:40 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F4F1284F1
	for <patchwork-kvm@patchwork.kernel.org>;
	Wed,  7 Jun 2017 08:31:40 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751483AbdFGIbh (ORCPT
	<rfc822;patchwork-kvm@patchwork.kernel.org>);
	Wed, 7 Jun 2017 04:31:37 -0400
Received: from mail-oi0-f65.google.com ([209.85.218.65]:35987 "EHLO
	mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751414AbdFGIbf (ORCPT <rfc822; kvm@vger.kernel.org>);
	Wed, 7 Jun 2017 04:31:35 -0400
Received: by mail-oi0-f65.google.com with SMTP id t9so393095oih.3
	for <kvm@vger.kernel.org>; Wed, 07 Jun 2017 01:31:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc; bh=HBPpOfyhr9wM31pOaTEOBmlLp+5cl5fWbfIk6bqP5W0=;
	b=rbZsGw7AaK37h2Xezt2RMB4kmAOH6XibU3KYmNxFvJrulHXR7L6c8Fk8mAtZJQN8++
	C2+5XDdSZl05OmFBv849QYR2soLl0oftLXalU/xzA3kWcPWpaqz58dED0HtWQnFGdkm+
	NfRbgRyULLMjJst/W4N/RCUAjPGHNDQjHErTl16GjIfuB8dSC3hyKh5IGqG10wtVCBhJ
	903bxmmQ1cojqrc0orvhsqjiUq3oDXz22E0EGWtUgtUo7fcnrAeO6Aek2btOiqjQb+Xs
	/7sBJdhJtaLHGcGwUs+oqbLgrKwdltNZjbOAsXcEz+boIz8PWMCM/RkYFZHNA9cSDXkm
	mKiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:cc;
	bh=HBPpOfyhr9wM31pOaTEOBmlLp+5cl5fWbfIk6bqP5W0=;
	b=pm8Xr1J28zp+7aAlzK+wue8TUvs5cT+n2gqT1nt/C9dALnkT3Qv7jKtntAqcx3/4o0
	CpH7pwZ7LPxQXsSC4H3SvETNwJZUU5/WhPHO4yMy+FqOzpEVAIfLYC/IS8noq7oI017Q
	Z8VzGyQeCK54e4I6odAnVAHtqtjbwDoBUVPB/s9FjeCOSizjxqTwECnMTxOJOHXqnszs
	q8ILYkCmUCl93THW0k0cUaRLOE+4ewd1nV5ZfLcz2g6Dl9pQYolpVnJjqEflU7aGFOIP
	CnSPqSrRlCJin1xrjoPRb35TaAYu5FJtsy7Nc+N2Q0Sl+C++VMTm0K4Lh4ruDJO5uqpJ
	9ifg==
X-Gm-Message-State: AODbwcA92k4FJGCDzcOcFAKQy3cLqyvninojw62uoMUliyNlSo5I0OQC
	lVl1WZmeU2pxadh+X8Qpipy567H/T+sd
X-Received: by 10.202.87.130 with SMTP id l124mr1854924oib.131.1496824294876;
	Wed, 07 Jun 2017 01:31:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.10.79 with HTTP; Wed, 7 Jun 2017 01:31:34 -0700 (PDT)
In-Reply-To: 
 <CC01CF939DBB24468C9944BB5AB21407E569E832@DGGEMM527-MBX.china.huawei.com>
References: 
 <CC01CF939DBB24468C9944BB5AB21407E5690720@DGGEMM527-MBX.china.huawei.com>
	<CANRm+CwisZ-Td1w=cNyOZBwmAqDFWSO+sm+LnnPiac1aKe2NqQ@mail.gmail.com>
	<CC01CF939DBB24468C9944BB5AB21407E569E832@DGGEMM527-MBX.china.huawei.com>
From: Wanpeng Li <kernellwp@gmail.com>
Date: Wed, 7 Jun 2017 16:31:34 +0800
Message-ID: 
 <CANRm+CynnpV5Lt_+zkzOpizoV_NVCYBhTE_41RyGvdvUaLki-g@mail.gmail.com>
Subject: Re: KVM vulnerability report about cpuid instruction
To: "Moguofang (Dennis mo)" <moguofang@huawei.com>
Cc: "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
	"Zhouyu (Axis Zhou, ICSL)" <axis.zhou@huawei.com>
Sender: kvm-owner@vger.kernel.org
Precedence: bulk
List-ID: <kvm.vger.kernel.org>
X-Mailing-List: kvm@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

2017-06-07 15:09 GMT+08:00 Moguofang (Dennis mo) <moguofang@huawei.com>:
> Hello!
>         A new vulnerability discover by me.

Could you test something like this?

--------------------------->8-------------------------------------------------------------

Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>

diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index a181ae7..b927a42 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -779,19 +779,20 @@ int kvm_dev_ioctl_get_cpuid(struct kvm_cpuid2 *cpuid,

 static int move_to_next_stateful_cpuid_entry(struct kvm_vcpu *vcpu, int i)
 {
+    int j = i, nent = vcpu->arch.cpuid_nent;
     struct kvm_cpuid_entry2 *e = &vcpu->arch.cpuid_entries[i];
-    int j, nent = vcpu->arch.cpuid_nent;
+    struct kvm_cpuid_entry2 *ej;

     e->flags &= ~KVM_CPUID_FLAG_STATE_READ_NEXT;
     /* when no next entry is found, the current entry[i] is reselected */
-    for (j = i + 1; ; j = (j + 1) % nent) {
-        struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j];
-        if (ej->function == e->function) {
-            ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT;
-            return j;
-        }
-    }
-    return 0; /* silence gcc, even though control never reaches here */
+    do {
+        j = (j + 1) % nent;
+        ej = &vcpu->arch.cpuid_entries[j];
+    } while(ej->function != e->function);
+
+    ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT;
+
+    return j;
 }

 /* find an entry with matching function, matching index (if needed), and that