Add a missing non-canonical check on writes to the RTIT address MSRs
and tack on a cleanup patch.
** ALL PATCHES ARE COMPLETELY UNTESTED **
Untested due to lack of hardware.
Sean Christopherson (2):
KVM: VMX: Add non-canonical check on writes to RTIT address MSRs
KVM: VMX: Add helper to consolidate up PT/RTIT WRMSR fault logic
arch/x86/kvm/vmx/vmx.c | 57 ++++++++++++++++++++++++------------------
1 file changed, 33 insertions(+), 24 deletions(-)
--
2.24.0
Reject writes to RTIT address MSRs if the data being written is a
non-canonical address as the MSRs are subject to canonical checks, e.g.
KVM will trigger an unchecked #GP when loading the values to hardware
during pt_guest_enter().
Cc: [email protected]
Signed-off-by: Sean Christopherson <[email protected]>
---
arch/x86/kvm/vmx/vmx.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index 51e3b27f90ed..9aa2006dbe04 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -2152,6 +2152,8 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
(index >= 2 * intel_pt_validate_cap(vmx->pt_desc.caps,
PT_CAP_num_address_ranges)))
return 1;
+ if (is_noncanonical_address(data, vcpu))
+ return 1;
if (index % 2)
vmx->pt_desc.guest.addr_b[index / 2] = data;
else
--
2.24.0
> -----Original Message-----
> From: Christopherson, Sean J <[email protected]>
> Sent: Wednesday, December 11, 2019 7:25 AM
> To: Paolo Bonzini <[email protected]>
> Cc: Christopherson, Sean J <[email protected]>; Vitaly Kuznetsov <[email protected]>; Wanpeng Li
> <[email protected]>; Jim Mattson <[email protected]>; Joerg Roedel <[email protected]>; [email protected]; linux-
> [email protected]; Chao Peng <[email protected]>; Kang, Luwei <[email protected]>
> Subject: [PATCH 1/2] KVM: VMX: Add non-canonical check on writes to RTIT address MSRs
>
> Reject writes to RTIT address MSRs if the data being written is a non-canonical address as the MSRs are subject to canonical checks,
> e.g.
> KVM will trigger an unchecked #GP when loading the values to hardware during pt_guest_enter().
>
> Cc: [email protected]
> Signed-off-by: Sean Christopherson <[email protected]>
> ---
> arch/x86/kvm/vmx/vmx.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index 51e3b27f90ed..9aa2006dbe04 100644
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
> @@ -2152,6 +2152,8 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> (index >= 2 * intel_pt_validate_cap(vmx->pt_desc.caps,
> PT_CAP_num_address_ranges)))
> return 1;
> + if (is_noncanonical_address(data, vcpu))
> + return 1;
Is this for live migrate a VM with 5 level page table to the VM with 4 level page table?
Thanks,
Luwei Kang
> if (index % 2)
> vmx->pt_desc.guest.addr_b[index / 2] = data;
> else
> --
> 2.24.0
On Tue, Dec 10, 2019 at 06:16:35PM -0800, Kang, Luwei wrote:
> > diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c index
> > 51e3b27f90ed..9aa2006dbe04 100644 --- a/arch/x86/kvm/vmx/vmx.c +++
> > b/arch/x86/kvm/vmx/vmx.c @@ -2152,6 +2152,8 @@ static int
> > vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info) (index >= 2 *
> > intel_pt_validate_cap(vmx->pt_desc.caps, PT_CAP_num_address_ranges)))
> > return 1; + if (is_noncanonical_address(data, vcpu)) +
> > return 1;
>
> Is this for live migrate a VM with 5 level page table to the VM with 4 level
> page table?
This is orthogonal to live migration or 5-level paging. Unless I'm missing
something, KVM simply fails to validate the incoming address.
On 11/12/19 00:24, Sean Christopherson wrote:
> Add a missing non-canonical check on writes to the RTIT address MSRs
> and tack on a cleanup patch.
>
> ** ALL PATCHES ARE COMPLETELY UNTESTED **
>
> Untested due to lack of hardware.
>
> Sean Christopherson (2):
> KVM: VMX: Add non-canonical check on writes to RTIT address MSRs
> KVM: VMX: Add helper to consolidate up PT/RTIT WRMSR fault logic
>
> arch/x86/kvm/vmx/vmx.c | 57 ++++++++++++++++++++++++------------------
> 1 file changed, 33 insertions(+), 24 deletions(-)
>
Queued, thanks.
Paolo