From patchwork Wed Mar 1 09:13:55 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sergey Dyasli X-Patchwork-Id: 9597891 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D67B360429 for ; Wed, 1 Mar 2017 09:16:41 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BDF4F28518 for ; Wed, 1 Mar 2017 09:16:41 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B2D3328526; Wed, 1 Mar 2017 09:16:41 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 4A65628522 for ; Wed, 1 Mar 2017 09:16:39 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cj0Ks-0001N4-4G; Wed, 01 Mar 2017 09:14:14 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cj0Kr-0001MX-27 for xen-devel@lists.xen.org; Wed, 01 Mar 2017 09:14:13 +0000 Received: from [85.158.143.35] by server-5.bemta-6.messagelabs.com id 75/88-22382-4E096B85; Wed, 01 Mar 2017 09:14:12 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmphkeJIrShJLcpLzFFi42JxWrohUvfJhG0 RBp/uM1os+biYxYHR4+ju30wBjFGsmXlJ+RUJrBlfzz5kLegQrpg3cRN7A+MKvi5GTg4JAX+J 5z/nsYLYbAJ6Ehtnv2ICsUUEZCVWd81h72Lk4mAWOMIoMXXVEXaQhLCAl8Sp11PAbBYBFYkPT 2Yxgti8ArYSP0+8Y4IYKidxadsX5i5GDg5OATuJZ48EQEwhoJLrm2tBKoQEVCVev9jFAtEpKH Fy5hMwm1lAQuLgixfMExh5ZyFJzUKSWsDItIpRozi1qCy1SNfYWC+pKDM9oyQ3MTNH19DATC8 3tbg4MT01JzGpWC85P3cTIzB0GIBgB+PO9YGHGCU5mJREeS9xbYsQ4kvKT6nMSCzOiC8qzUkt PsQow8GhJMH7rQ8oJ1iUmp5akZaZAwximLQEB4+SCO9SkDRvcUFibnFmOkTqFKOilDjvG5CEA EgiozQPrg0WOZcYZaWEeRmBDhHiKUgtys0sQZV/xSjOwagkzJvRDzSFJzOvBG76K6DFTECLX6 hsBVlckoiQkmpgNDTV5wwturggRCpk9UQ2Vem77DzRn1Quz0gwaLCO/3bWoV3e9dFDz3/1XWd XF/wo3dn669fK7t/vw3dm74tTLfvXfP3Ds6U/3636tGPmlA0dFaWOh/rVwhLeZq6eu+i139Rp bB96+ZZdt2Zs4OI+mlQyK/th7ocobbFiU563rE4Bx9/tapt8W4mlOCPRUIu5qDgRAGpnpdCXA gAA X-Env-Sender: prvs=226945324=sergey.dyasli@citrix.com X-Msg-Ref: server-8.tower-21.messagelabs.com!1488359649!59936744!2 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.4.3; banners=-,-,- X-VirusChecked: Checked Received: (qmail 10188 invoked from network); 1 Mar 2017 09:14:11 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-8.tower-21.messagelabs.com with RC4-SHA encrypted SMTP; 1 Mar 2017 09:14:11 -0000 X-IronPort-AV: E=Sophos;i="5.35,224,1484006400"; d="scan'208";a="410528972" From: Sergey Dyasli To: Date: Wed, 1 Mar 2017 09:13:55 +0000 Message-ID: <20170301091355.24742-3-sergey.dyasli@citrix.com> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170301091355.24742-1-sergey.dyasli@citrix.com> References: <20170301091355.24742-1-sergey.dyasli@citrix.com> MIME-Version: 1.0 Cc: Andrew Cooper , Kevin Tian , Jan Beulich , Jun Nakajima , Sergey Dyasli Subject: [Xen-devel] [PATCH v1 2/2] x86/vvmx: add vmcs id check into vmptrld emulation X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP If a guest will do vmptrld with an incorrect vmcs id: (XEN) Xen BUG at .../git/upstream/xen/xen/include/asm/hvm/vmx/vmx.h:333 (XEN) ----[ Xen-4.9-unstable x86_64 debug=y Tainted: H ]---- (XEN) Xen call trace: (XEN) [] vmcs.c#arch/x86/hvm/vmx/vmcs.o.unlikely+0x28/0x19a (XEN) [] virtual_vmcs_vmread+0x11/0x2c (XEN) [] vvmx.c#_map_io_bitmap+0x86/0x88 (XEN) [] nvmx_handle_vmptrld+0xf0/0x1fb (XEN) [] vmx_vmexit_handler+0x132b/0x1c49 (XEN) [] vmx_asm_vmexit_handler+0x3c/0x120 Fix this by adding appropriate checks for vmcs id during vmptrld emulation. Signed-off-by: Sergey Dyasli Acked-by: Kevin Tian --- xen/arch/x86/hvm/vmx/vvmx.c | 11 +++++++++++ xen/include/asm-x86/hvm/vmx/vmcs.h | 1 + 2 files changed, 12 insertions(+) diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c index 4f5ee5a..580fd3e 100644 --- a/xen/arch/x86/hvm/vmx/vvmx.c +++ b/xen/arch/x86/hvm/vmx/vvmx.c @@ -1633,6 +1633,17 @@ int nvmx_handle_vmptrld(struct cpu_user_regs *regs) { if ( writable ) { + struct vmcs_struct *vvmcs = vvmcx; + + if ( ((vvmcs->vmcs_revision_id ^ vmx_basic_msr) & + VMX_BASIC_REVISION_MASK) || + (!cpu_has_vmx_vmcs_shadowing && + (vvmcs->vmcs_revision_id & ~VMX_BASIC_REVISION_MASK)) ) + { + hvm_unmap_guest_frame(vvmcx, 1); + vmfail(regs, VMX_INSN_VMPTRLD_INCORRECT_VMCS_ID); + return X86EMUL_OKAY; + } nvcpu->nv_vvmcx = vvmcx; nvcpu->nv_vvmcxaddr = gpa; v->arch.hvm_vmx.vmcs_shadow_maddr = diff --git a/xen/include/asm-x86/hvm/vmx/vmcs.h b/xen/include/asm-x86/hvm/vmx/vmcs.h index 4ee01da..6308e4b 100644 --- a/xen/include/asm-x86/hvm/vmx/vmcs.h +++ b/xen/include/asm-x86/hvm/vmx/vmcs.h @@ -521,6 +521,7 @@ enum vmx_insn_errno VMX_INSN_INVALID_CONTROL_STATE = 7, VMX_INSN_INVALID_HOST_STATE = 8, VMX_INSN_VMPTRLD_INVALID_PHYADDR = 9, + VMX_INSN_VMPTRLD_INCORRECT_VMCS_ID = 11, VMX_INSN_UNSUPPORTED_VMCS_COMPONENT = 12, VMX_INSN_VMXON_IN_VMX_ROOT = 15, VMX_INSN_FAIL_INVALID = ~0,