leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
f298103359
linux/arch/x86/kvm
History
Lan Tianyu f298103359 KVM/x86: Check input paging mode when cs.l is set 
Reported by syzkaller:
    WARNING: CPU: 0 PID: 27962 at arch/x86/kvm/emulate.c:5631 x86_emulate_insn+0x557/0x15f0 [kvm]
    Modules linked in: kvm_intel kvm [last unloaded: kvm]
    CPU: 0 PID: 27962 Comm: syz-executor Tainted: G    B   W        4.15.0-rc2-next-20171208+ #32
    Hardware name: Intel Corporation S1200SP/S1200SP, BIOS S1200SP.86B.01.03.0006.040720161253 04/07/2016
    RIP: 0010:x86_emulate_insn+0x557/0x15f0 [kvm]
    RSP: 0018:ffff8807234476d0 EFLAGS: 00010282
    RAX: 0000000000000000 RBX: ffff88072d0237a0 RCX: ffffffffa0065c4d
    RDX: 1ffff100e5a046f9 RSI: 0000000000000003 RDI: ffff88072d0237c8
    RBP: ffff880723447728 R08: ffff88072d020000 R09: ffffffffa008d240
    R10: 0000000000000002 R11: ffffed00e7d87db3 R12: ffff88072d0237c8
    R13: ffff88072d023870 R14: ffff88072d0238c2 R15: ffffffffa008d080
    FS:  00007f8a68666700(0000) GS:ffff880802200000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 000000002009506c CR3: 000000071fec4005 CR4: 00000000003626f0
    Call Trace:
     x86_emulate_instruction+0x3bc/0xb70 [kvm]
     ? reexecute_instruction.part.162+0x130/0x130 [kvm]
     vmx_handle_exit+0x46d/0x14f0 [kvm_intel]
     ? trace_event_raw_event_kvm_entry+0xe7/0x150 [kvm]
     ? handle_vmfunc+0x2f0/0x2f0 [kvm_intel]
     ? wait_lapic_expire+0x25/0x270 [kvm]
     vcpu_enter_guest+0x720/0x1ef0 [kvm]
     ...

When CS.L is set, vcpu should run in the 64 bit paging mode.
Current kvm set_sregs function doesn't have such check when
userspace inputs sreg values. This will lead unexpected behavior.
This patch is to add checks for CS.L, EFER.LME, EFER.LMA and
CR4.PAE when get SREG inputs from userspace in order to avoid
unexpected behavior.

Suggested-by: Paolo Bonzini <pbonzini@redhat.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Jim Mattson <jmattson@google.com>
Signed-off-by: Tianyu Lan <tianyu.lan@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-12-15 10:01:46 +01:00
..
cpuid.c Merge branch 'kvm-ppc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc 2017-09-08 14:40:43 +02:00
cpuid.h KVM: x86: Fix CPUID function for word 6 (80000001_ECX) 2017-11-17 13:20:22 +01:00
debugfs.c kvm: x86: export TSC information to user-space 2016-09-16 16:57:48 +02:00
emulate.c x86,kvm: remove KVM emulator get_fpu / put_fpu 2017-12-05 21:20:24 +01:00
hyperv.c KVM: X86: implement the logic for spinlock optimization 2017-08-08 10:57:43 +02:00
hyperv.h kvm: x86: hyperv: make VP_INDEX managed by userspace 2017-07-14 16:28:18 +02:00
i8254.c KVM: x86: take slots_lock in kvm_free_pit 2017-07-12 22:38:26 +02:00
i8254.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
i8259.c KVM: x86: simplify pic_ioport_read() 2017-04-12 20:17:15 +02:00
ioapic.c KVM: x86: ioapic: Preserve read-only values in the redirection table 2017-11-17 13:20:21 +01:00
ioapic.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
irq_comm.c KVM: x86: don't hold kvm->lock in KVM_SET_GSI_ROUTING 2017-05-02 14:45:45 +02:00
irq.c KVM: x86: get rid of pic_irqchip() 2017-04-12 20:17:13 +02:00
irq.h KVM: x86: don't hold kvm->lock in KVM_SET_GSI_ROUTING 2017-05-02 14:45:45 +02:00
Kconfig License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
kvm_cache_regs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
lapic.c KVM: lapic: Fixup LDR on load in x2apic 2017-11-27 17:32:53 +01:00
lapic.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mmu_audit.c KVM: MMU: Add 5 level EPT & Shadow page table support. 2017-08-24 18:09:17 +02:00
mmu.c KVM: MMU: Fix infinite loop when there is no available mmu page 2017-12-14 09:24:14 +01:00
mmu.h First batch of KVM changes for 4.15 2017-11-16 13:00:24 -08:00
mmutrace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mtrr.c KVM: x86: generalize guest_cpuid_has_ helpers 2017-08-07 16:11:50 +02:00
page_track.c locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns to READ_ONCE()/WRITE_ONCE() 2017-10-25 11:01:08 +02:00
paging_tmpl.h KVM: x86: extend usage of RET_MMIO_PF_* constants 2017-10-12 14:01:56 +02:00
pmu_amd.c perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 2016-09-16 16:19:49 +02:00
pmu_intel.c KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh() 2017-05-19 19:59:27 +02:00
pmu.c KVM: x86: never specify a sample period for virtualized in_tx_cp counters 2017-03-01 14:19:46 +01:00
pmu.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
svm.c KVM: x86: Exit to user-mode on #UD intercept when emulator requires 2017-11-17 13:20:10 +01:00
trace.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
tss.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
vmx.c KVM: VMX: fix page leak in hardware_setup() 2017-12-05 22:34:49 +01:00
x86.c KVM/x86: Check input paging mode when cs.l is set 2017-12-15 10:01:46 +01:00
x86.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00