Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751813AbdITG6x (ORCPT ); Wed, 20 Sep 2017 02:58:53 -0400 Received: from mga01.intel.com ([192.55.52.88]:40593 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751000AbdITG6v (ORCPT ); Wed, 20 Sep 2017 02:58:51 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.42,420,1500966000"; d="scan'208";a="137392493" Subject: Re: [PATCH] KVM: x86: Fix the NULL pointer parameter in check_cr_write() To: Jim Mattson , David Hildenbrand , Paolo Bonzini Cc: kvm list , LKML , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" References: <1505731501-6821-1-git-send-email-yu.c.zhang@linux.intel.com> <62dd03f0-4049-1d9c-d07b-61cac4c49c93@redhat.com> From: Yu Zhang Message-ID: <0a2a586b-5dd6-88cb-bd22-f0676b1c8fbe@linux.intel.com> Date: Wed, 20 Sep 2017 14:35:30 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2614 Lines: 72 On 9/18/2017 11:56 PM, Jim Mattson wrote: > kvm_cpuid ultimately wants to write all four of the GPRs passed in by > reference. I don't see any advantage to allowing some of these > pointers to be NULL. Thanks for your comments, Jim & David. 2 reasons I did not choose to change kvm_cpuid(): 1> like Jim's comments, kvm_cpuid() will eventually write the *eax - *edx no matter a cpuid entry is found or not; 2> currently, return value of kvm_cpuid() is either true when an entry is found or false otherwise. We can change kvm_cpuid() to check the pointers of GPRs against NULL and return false immediately. Then the false value would have 2 different meanings - entry not found, or invalid params. Paolo, any suggestion? :-) Thanks Yu > Reviewed-by: Jim Mattson > > On Mon, Sep 18, 2017 at 5:19 AM, David Hildenbrand wrote: >> On 18.09.2017 12:45, Yu Zhang wrote: >>> Routine check_cr_write() will trigger emulator_get_cpuid()-> >>> kvm_cpuid() to get maxphyaddr, and NULL is passed as values >>> for ebx/ecx/edx. This is problematic because kvm_cpuid() will >>> dereference these pointers. >>> >>> Fixes: d1cd3ce90044 ("KVM: MMU: check guest CR3 reserved bits based on its physical address width.") >>> Reported-by: Jim Mattson >>> Signed-off-by: Yu Zhang >>> --- >>> arch/x86/kvm/emulate.c | 8 +++++--- >>> 1 file changed, 5 insertions(+), 3 deletions(-) >>> >>> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c >>> index 16bf665..15f527b 100644 >>> --- a/arch/x86/kvm/emulate.c >>> +++ b/arch/x86/kvm/emulate.c >>> @@ -4102,10 +4102,12 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt) >>> ctxt->ops->get_msr(ctxt, MSR_EFER, &efer); >>> if (efer & EFER_LMA) { >>> u64 maxphyaddr; >>> - u32 eax = 0x80000008; >>> + u32 eax, ebx, ecx, edx; >>> >>> - if (ctxt->ops->get_cpuid(ctxt, &eax, NULL, NULL, >>> - NULL, false)) >>> + eax = 0x80000008; >>> + ecx = 0; >>> + if (ctxt->ops->get_cpuid(ctxt, &eax, &ebx, &ecx, >>> + &edx, false)) >>> maxphyaddr = eax & 0xff; >>> else >>> maxphyaddr = 36; >>> >> Not sure if fixing kvm_cpuid() would be better. >> >> Reviewed-by: David Hildenbrand >> >> -- >> >> Thanks, >> >> David