Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp1944847ybe; Thu, 12 Sep 2019 01:58:30 -0700 (PDT) X-Google-Smtp-Source: APXvYqzjhxtAKcdclsg8bWbtOYUd8sbGoIFY3k2nYw5SkpnBdAQjeTVNqywhluk8NQBSvOEpPbba X-Received: by 2002:a17:906:129b:: with SMTP id k27mr31297926ejb.42.1568278710335; Thu, 12 Sep 2019 01:58:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568278710; cv=none; d=google.com; s=arc-20160816; b=HfW4eEoi9TRi+Y2Gm6WN0g00q0oB+ENiytylvVhsdClaFGD79HHN2FtQRKJKTjv+J2 yqfzcUCy7D1eS9mDryLlfAXLZZwO3wjaVR+UddLY4wU041lneHlFoM8S7Q3BpFTXk588 O+TbIRl7rT23WrxhpuvIixmuTOozNLPp2A8mREvCPgHaFDYMfNjDPtdudesbEOJHcFUP hR9c11sE1IcR6ua6DzJNw9lO/Yhqo83bE0zr3SQompgGypKKRFQHTDHteAw+l9nkn0H0 ci1R+pFRXUft32k1JpaTHIZIzztantpDqtupMbMzEts/lkG0JWstvE/et6B+1ViHOEZ5 4T6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Ba0Mg0PjzFl5tyazyjtWzd4MBHG4kyyWf35Son0d6lA=; b=YkEqv2lXV2rA4drNvatPqxRfZlJ/kzzdTuQnPPehiUX+4thQ9moxwM4/q6br5oFtQ+ e6xgjjSxNMkz+ttjnGoWSwoDk2c7uiVPpE4n5LI3CP9eJB4a5PWwpzM3OouszRi0SPBg 5FtBoyuqc5PxGQ9Noqc5qXR2O7RsUmEn144Ec05FAjTjnVI7Z6sQ9RhtfsNFbpDsUXYu 3jAVJWy7XYc0eVlnuhXhs3IbtYyvg/E291B2vt6KyujoPzGK+ml8YqdIkrCrosLh7glr 0fcmSRuyZ35txJcB9QC8ZDJ8t0wyoVOCOfvfnRU5qw306eBHXCeppWEZMAL+Vt7Lc03e m3LA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=QpKGvClt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e16si9931517eds.51.2019.09.12.01.58.06; Thu, 12 Sep 2019 01:58:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=QpKGvClt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730427AbfILI4N (ORCPT + 99 others); Thu, 12 Sep 2019 04:56:13 -0400 Received: from mail-yw1-f66.google.com ([209.85.161.66]:38692 "EHLO mail-yw1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725940AbfILI4M (ORCPT ); Thu, 12 Sep 2019 04:56:12 -0400 Received: by mail-yw1-f66.google.com with SMTP id f187so8865255ywa.5; Thu, 12 Sep 2019 01:56:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Ba0Mg0PjzFl5tyazyjtWzd4MBHG4kyyWf35Son0d6lA=; b=QpKGvCltuwLS1EvJHQvNjmcaYy/JUMTCT0iVaXYh9wkBOauFKMUiP0kYkUwR5+bDgH 0qakOzwgCtqVB/ZqH2NihcyADJAd5R4MhpwmexILx739pxC+qBikD41/PA4sMmQ9YbcF K13487GS0MfqO3xVQt7IFbn4Un4c+FbnpWas7ti/I2vlFozGjrYYAJQFYkiyC8Yn2Pco VyWW0ZmtMlVUw470exQCGI/hxRpM+5T4RiLhx2gunLQCiWjLh+yGV8+Qoj9b1sy0X26U eaO9NwDi+FNx3VwvMRpzp7JrHQwjWvM1jlizyw5h9IeqU3TkN41OpzugLKv5hasQPYyS +fwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Ba0Mg0PjzFl5tyazyjtWzd4MBHG4kyyWf35Son0d6lA=; b=QFvHi1oh8UqebrcZ55BbMgOCnesA9cxDlwLty13VkmukDbRsoDLzw4eVZY1r7YRcCp TcIeis+Js3SeFWslLrd2x0ojUCIxhs6VpU9Usyd83QsBRlxNb4fkiTo8+uWPCq7sfnYx vY5WgDHzHK1peiDrJST/IIfGbwaBQTR5sneobPMb6GZywArQI7zunRzmJwYEB//tqMcE Q6scmGMcfa5xnAB+tStxZW74timxL1vM5Cus3kscDzD95z4OSOFliNN30A0e7x8SxXf4 6s1k2sLCptN6M7NfSyHj5N4GmSeyj576UizutI8RgaPjy02kS8dH5Im2dUcLnzlNgHrc ENEA== X-Gm-Message-State: APjAAAVf0hk7rrTY6+65ztjSXrmOaDi/XLvOHeud8h51qNzUKThJNClo 11LNZr46SdXSknesBxmn4F5bXPJJqWRT+qlu9dM= X-Received: by 2002:a81:9404:: with SMTP id l4mr27056745ywg.352.1568278571868; Thu, 12 Sep 2019 01:56:11 -0700 (PDT) MIME-Version: 1.0 References: <20190912041817.23984-1-huangfq.daxian@gmail.com> <87tv9hew2k.fsf@vitty.brq.redhat.com> In-Reply-To: <87tv9hew2k.fsf@vitty.brq.redhat.com> From: Fuqian Huang Date: Thu, 12 Sep 2019 16:56:00 +0800 Message-ID: Subject: Re: [PATCH] KVM: x86: work around leak of uninitialized stack contents To: Vitaly Kuznetsov Cc: Paolo Bonzini , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Sean Christopherson , Wanpeng Li , Jim Mattson , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H . Peter Anvin" , x86@kernel.org, kvm@vger.kernel.org, Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Vitaly Kuznetsov =E6=96=BC 2019=E5=B9=B49=E6=9C=8812= =E6=97=A5=E9=80=B1=E5=9B=9B =E4=B8=8B=E5=8D=884:51=E5=AF=AB=E9=81=93=EF=BC= =9A > > Fuqian Huang writes: > > > Emulation of VMPTRST can incorrectly inject a page fault > > when passed an operand that points to an MMIO address. > > The page fault will use uninitialized kernel stack memory > > as the CR2 and error code. > > > > The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ER= ROR > > exit to userspace; > > Hm, why so? KVM_EXIT_INTERNAL_ERROR is basically an error in KVM, this > is not a proper reaction to a userspace-induced condition (or ever). > > I also looked at VMPTRST's description in Intel's manual and I can't > find and explicit limitation like "this must be normal memory". We're > just supposed to inject #PF "If a page fault occurs in accessing the > memory destination operand." > > In case it seems to be too cumbersome to handle VMPTRST to MMIO and we > think that nobody should be doing that I'd rather prefer injecting #GP. > > Please tell me what I'm missing :-) I found it during the code review, and it looks like the problem the commit 353c0956a618 ("KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)") mentions. So I fixed it in a similar way. > > > however, it is not an easy fix, so for now just ensure > > that the error code and CR2 are zero. > > > > Signed-off-by: Fuqian Huang > > --- > > arch/x86/kvm/x86.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > > index 290c3c3efb87..7f442d710858 100644 > > --- a/arch/x86/kvm/x86.c > > +++ b/arch/x86/kvm/x86.c > > @@ -5312,6 +5312,7 @@ int kvm_write_guest_virt_system(struct kvm_vcpu *= vcpu, gva_t addr, void *val, > > /* kvm_write_guest_virt_system can pull in tons of pages. */ > > vcpu->arch.l1tf_flush_l1d =3D true; > > > > + memset(exception, 0, sizeof(*exception)); > > return kvm_write_guest_virt_helper(addr, val, bytes, vcpu, > > PFERR_WRITE_MASK, exception); > > } > > -- > Vitaly