Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp201842ybe; Thu, 12 Sep 2019 18:22:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqyeFvFNDESMgUt6RJnaaXbSOAdLtlSRtv+nySVeepcag6Lmy6lRIlFCBIXGpE8zA3RqEs17 X-Received: by 2002:a17:906:7e44:: with SMTP id z4mr36828867ejr.290.1568337727520; Thu, 12 Sep 2019 18:22:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568337727; cv=none; d=google.com; s=arc-20160816; b=y3c7u5bIPqVviNnBmyTz/osfwE/t59ld25EpfZwt8TtLm2zXku128ibpPFkB8R83SL GHMa4+NlsIW7Ax6h6UOG5KN5rr4gziX2hVF1gWfbYDUvlryGOEwE9FAwrb+f1HnEwEGD uEW12wIYBvIrD7515b0PdCB7RaagJh38YZwBkfQR2/5Y4MU4I4LtHKvmEBXZyKpIsDAR LX4iqCrj0Mm0x2ln3DdrFFnKe/JGfhOXeMAqqg6O4sqocUQDqu7uIxDcPeVCe/4kTXjl 98b7GXqpge8h2w1MV5ZUBR3JeyHpYsmr8SkxPpM6XLnW8f/Gk/2D66i3DdU8K8QLNfiF K8AA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=og4JNS53Oi7tC9WPcyMdwVpdo59stNcPCQ3ba+CuFd0=; b=MJv42rrZJEjxq09D+ZgLFbJFKrapI6Bmj54u0A2E3AMmGlzGqJCPcaVGJn1blroz5t Q2NWrkV6kx2pKm7OaYBgNkb9cmrzRKvcZ0LnXU+XYOIiN7XwiTGkGMjevYEYyIZqXeY/ CUvtXI1RDQ6GAWLQT6bkwSkRiiGBuHYf6cqFck/qSmF1k3BgCi14O1N54tu7k3Md+S+K EAbUfOZ9CvzW/PqPOf4vs8q/Lk2QgIiKC6gDOt03rHHIPsQMZLLZRxOdN+3rmolGPrrZ eej9kddCsOdWbFyKXO6QWVqiCPeF6XTe353AF611f58nOBJjJjTEZ73WnEEM+lq6f/KN 8pdg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m10si412541ejc.337.2019.09.12.18.21.44; Thu, 12 Sep 2019 18:22:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728023AbfILXwG (ORCPT + 99 others); Thu, 12 Sep 2019 19:52:06 -0400 Received: from mga17.intel.com ([192.55.52.151]:44578 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726899AbfILXwG (ORCPT ); Thu, 12 Sep 2019 19:52:06 -0400 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga006.fm.intel.com ([10.253.24.20]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Sep 2019 16:52:05 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.64,489,1559545200"; d="scan'208";a="386225320" Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.41]) by fmsmga006.fm.intel.com with ESMTP; 12 Sep 2019 16:52:05 -0700 Date: Thu, 12 Sep 2019 16:52:05 -0700 From: Sean Christopherson To: Jim Mattson Cc: Fuqian Huang , Paolo Bonzini , Radim =?utf-8?B?S3LEjW3DocWZ?= , Vitaly Kuznetsov , Wanpeng Li , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H . Peter Anvin" , the arch/x86 maintainers , kvm list , LKML Subject: Re: [PATCH] KVM: x86: work around leak of uninitialized stack contents Message-ID: <20190912235205.GA6588@linux.intel.com> References: <20190912041817.23984-1-huangfq.daxian@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 12, 2019 at 02:20:09PM -0700, Jim Mattson wrote: > On Wed, Sep 11, 2019 at 9:18 PM Fuqian Huang wrote: > > > > Emulation of VMPTRST can incorrectly inject a page fault > > when passed an operand that points to an MMIO address. > > The page fault will use uninitialized kernel stack memory > > as the CR2 and error code. > > > > The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR > > exit to userspace; however, it is not an easy fix, so for now just ensure > > that the error code and CR2 are zero. > > > > Signed-off-by: Fuqian Huang > > --- > > arch/x86/kvm/x86.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > > index 290c3c3efb87..7f442d710858 100644 > > --- a/arch/x86/kvm/x86.c > > +++ b/arch/x86/kvm/x86.c > > @@ -5312,6 +5312,7 @@ int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, gva_t addr, void *val, > > /* kvm_write_guest_virt_system can pull in tons of pages. */ > > vcpu->arch.l1tf_flush_l1d = true; > > > > + memset(exception, 0, sizeof(*exception)); > > return kvm_write_guest_virt_helper(addr, val, bytes, vcpu, > > PFERR_WRITE_MASK, exception); > > } > > -- > > 2.11.0 > > > Perhaps you could also add a comment like the one Paolo added when he > made the same change in kvm_read_guest_virt? > See commit 353c0956a618 ("KVM: x86: work around leak of uninitialized > stack contents (CVE-2019-7222)"). I have a better hack-a-fix, we can handle the unexpected MMIO using master abort semantics, i.e. reads return all ones, writes are dropped. It's not 100% correct as KVM won't handle the case where the address is legit MMIO, but it's at least sometimes correct and thus better than a #PF. Patch and a unit test incoming...