Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp2697133ybe; Thu, 12 Sep 2019 13:27:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqxc9Sejk6Q0bOWR8dfyZgn1Bnqy4jPnDmHlfisnuwrqORmjfdizqwXS6o4y8ANg2j/Bnk90 X-Received: by 2002:aa7:dd91:: with SMTP id g17mr941549edv.175.1568320053703; Thu, 12 Sep 2019 13:27:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568320053; cv=none; d=google.com; s=arc-20160816; b=BmSzmuUITCr/6ca4s+D35YJxxzqC3UjcGWRLUumEfRk6KBtLXFXfJI+Wj7PU1bU7QE Prx9xXEyuactZCwn2LWYB1IY+lIOHBlkLm8rlJafHz8CWH/Oe3fMqDM6/VXMt5BcyI2f GC+E92sLOcZz7lCpRI7V8t9zJDOzVfhuAqTU1TLyAUHm8zYgUjxx5FLxWcINOvfdhd1t Vxomb5hTSW4eXz8vN+7/FMOymP3TpjSy5HzMYpejOC3gCdfT5pB37SK9AuPmfeYrH0qB GAWvlscG510EW4R2I4jOM5ONz6m+bFojJxGpVURdc24GrnXxRz99C+qFzLUWfFZCL0f4 t+Hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=U/0egg2l/8/sf6OVNLDHzc/+TeOVJmdKP2W9EOOrXuM=; b=FMdguiti+3UgTUcOAwExpihwvJhUCUvDpPTvYay9Dc8DCEFqFVYWqBCC/yo0mzU59w 1T2EYe0eIQbUDkM8wiVGpR2RSERs4CQ84t1nClZLBKzQ39myOgptP+hMPxN89P2TZKgv tJkskdmqOfiVLoG/3tlB6Q6pKU+JjRYxuWPE/oDrOiGuiUjTPZUTRfNZJ6KZsAiPBp2o l1v/EdJf6jpYeD87ZaGMlZn3XSu5c76jVHR9SaKpkBir7s0oBbxUr+ewILRUV8qR0xXK w1xbJjoRYZdM3ckzTaAGj0FRHD7wJFgQWVvxA8bkf4ixrlueZoQ5LZz8yj/R/mICSefu zWPA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=M2E++I2N; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b56si16305426edb.418.2019.09.12.13.27.07; Thu, 12 Sep 2019 13:27:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=M2E++I2N; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731488AbfILMCd (ORCPT + 99 others); Thu, 12 Sep 2019 08:02:33 -0400 Received: from mail-ed1-f67.google.com ([209.85.208.67]:40534 "EHLO mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731106AbfILMCd (ORCPT ); Thu, 12 Sep 2019 08:02:33 -0400 Received: by mail-ed1-f67.google.com with SMTP id v38so23696488edm.7; Thu, 12 Sep 2019 05:02:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=U/0egg2l/8/sf6OVNLDHzc/+TeOVJmdKP2W9EOOrXuM=; b=M2E++I2Ns2RrNNsY01QnhgBt0bkK9Ydxw1b0fze7A88rWXXpYBezAHPpV61/rVxlRw R1O7RuqhD0Hng0BwD9q0eNUnmS7OVPEWg7huYIRveHh9mQqiy2E0TA8PrGizkKs5dsm0 PlXWRf03hbC0TK8xLq70xq0jm/qsjSf5DsRymVao9zyiQLf8gzHSGg8SOJTruCxLR/Tn 9MUGPhrNdR745VODf31HpM6HvoglvgLTgsaUnogpfECuZkmR+Z451gq5sZ/aZY9JGZCO /zMBAdc+CiwjYwamTpYJAyjcE6/KB3a9l2Cg7EPxKODJt6TNJaFLfmkIs+99A+G6kz/c 2pXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=U/0egg2l/8/sf6OVNLDHzc/+TeOVJmdKP2W9EOOrXuM=; b=cq1wxI17Mf2lHvxPKTO+hqbUWeoE6yRkJXedEwG4dZfxcq359o95HBY7YRY8OCCCYR Hk9ov0SQkGPFDUToBGXDSgi6QabJDcpBctkqn3viV6BWeVrENOVUs7OBejS8aUTEY/np oyUIHkv66tL3j8gJYP0wuy8uB3bgUhu4O6CH5Y+ChSnsQEZTkVDZLOdh+EUXh2kZS0Pk O9cDjD0LvOXm5tmgwTs2mls0hHb2b4eG4HsY8c6pccTqdqhmRNxWgKoUx4x0SNdCd48A vw9n8aRHLzHbcjjSrDLl5aZlLXMn6XhC2q4tiY3WCEXCX6evRSQcfHeNCDcHG3d/LAhU XEtA== X-Gm-Message-State: APjAAAUDlGTiN02jMh6GaEv55hvedc9IQzL/S1efCCwxxYl7X1qbCn2g F8ekTl8doZ36Ba/IM7AZU3fiHaZwPkWHbiusnPZwh4tZ X-Received: by 2002:a05:6402:611:: with SMTP id n17mr42169718edv.33.1568289751677; Thu, 12 Sep 2019 05:02:31 -0700 (PDT) MIME-Version: 1.0 References: <20190912041817.23984-1-huangfq.daxian@gmail.com> <87tv9hew2k.fsf@vitty.brq.redhat.com> <87r24leqf4.fsf@vitty.brq.redhat.com> In-Reply-To: <87r24leqf4.fsf@vitty.brq.redhat.com> From: Fuqian Huang Date: Thu, 12 Sep 2019 20:02:20 +0800 Message-ID: Subject: Re: [PATCH] KVM: x86: work around leak of uninitialized stack contents To: Vitaly Kuznetsov Cc: Paolo Bonzini , =?UTF-8?B?UmFkaW0gS3LEjW3DocWZ?= , Sean Christopherson , Wanpeng Li , Jim Mattson , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H . Peter Anvin" , x86@kernel.org, kvm@vger.kernel.org, Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Vitaly Kuznetsov =E6=96=BC 2019=E5=B9=B49=E6=9C=8812= =E6=97=A5=E9=80=B1=E5=9B=9B =E4=B8=8B=E5=8D=886:53=E5=AF=AB=E9=81=93=EF=BC= =9A > > Fuqian Huang writes: > > > Vitaly Kuznetsov =E6=96=BC 2019=E5=B9=B49=E6=9C= =8812=E6=97=A5=E9=80=B1=E5=9B=9B =E4=B8=8B=E5=8D=884:51=E5=AF=AB=E9=81=93= =EF=BC=9A > >> > >> Fuqian Huang writes: > >> > >> > Emulation of VMPTRST can incorrectly inject a page fault > >> > when passed an operand that points to an MMIO address. > >> > The page fault will use uninitialized kernel stack memory > >> > as the CR2 and error code. > >> > > >> > The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL= _ERROR > >> > exit to userspace; > >> > >> Hm, why so? KVM_EXIT_INTERNAL_ERROR is basically an error in KVM, this > >> is not a proper reaction to a userspace-induced condition (or ever). > >> > >> I also looked at VMPTRST's description in Intel's manual and I can't > >> find and explicit limitation like "this must be normal memory". We're > >> just supposed to inject #PF "If a page fault occurs in accessing the > >> memory destination operand." > >> > >> In case it seems to be too cumbersome to handle VMPTRST to MMIO and we > >> think that nobody should be doing that I'd rather prefer injecting #GP= . > >> > >> Please tell me what I'm missing :-) > > > > I found it during the code review, and it looks like the problem the > > commit 353c0956a618 ("KVM: x86: work around leak of uninitialized > > stack contents (CVE-2019-7222)") > > mentions. So I fixed it in a similar way. > > > > Oh, yes, I'm not against the fix at all, I was just wondering about why > you think we need to kill the guest in this case. I don't know what is the proper way to handle this case, I just initialize = the memory to avoid information leakage. (Actually, I am not an expert on KVM's code) I will be appreciated if the bug is fixed. :) > > -- > Vitaly