Received: by 2002:a05:6358:701b:b0:131:369:b2a3 with SMTP id 27csp621620rwo; Fri, 21 Jul 2023 18:42:08 -0700 (PDT) X-Google-Smtp-Source: APBJJlEIYADKdkemED4totFGL5lhePTjHk2dzJdAPH8UlTFbVHPL0fTKY8MAw3ZeTlxXMfXuOVZq X-Received: by 2002:a17:907:2bcb:b0:994:5659:1fa with SMTP id gv11-20020a1709072bcb00b00994565901famr3530740ejc.18.1689990128661; Fri, 21 Jul 2023 18:42:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689990128; cv=none; d=google.com; s=arc-20160816; b=m8hh2HNhZTZymeIyR7NtmVbrKyVMnpOaqPCNLGgOiHTTq6MhF0Ma7okoE8eg6ny+Cy b/Ssk14FTjthLJj9n5oBTc2JmGDdL8OrLblMd2qiJCCfD35abPW9YwfDhjZFCEZdVP0c 9AOCs5UsTTvgmwxinryJWY0846cmGFLoZAokbQLnNvBXbra+RO5WZd/oBLK8lxoMacvx Cj0e1BpuM+oplgWYXdQsTfvXmJKt6/wjMSQCpuoEubIjXB73cXq7eDFvSJPvRVRguCK5 jd3XIJ10+0v3wEEiXsjth5EmSMW+MIx+oakCQaUeRJTmfE113YEDYKBZ/a1b26NNcD9e bQjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:references :mime-version:in-reply-to:date:reply-to:dkim-signature; bh=um0JUlmUESKdJimio+8DNUJWds66RsQougy5ghLTK+M=; fh=+wFND6X2PweTsJwZ99iP2DHiwxyX/zx7C8kEbHFvmqg=; b=mt/JKPi5sslBPETJbXA/QoK1Um+o+bh1d4V/keIXfRBifi7Pxr1L64On73yi+EUFGc AJcmucNwt0RpSfjFzCywuBG1ITMvjLdDdJfN6l4jgAuJnFCi9GtxsIXSZauVjxq0V9N1 ZiAXXO1sbxULNjY0z5yiHaoH5HySSoX3z+v2KLSVMQDA99oVB22O4ZTro/MEvcYnUDq3 GnRYsJpGa9a4MFQ7K74tuxVCBvQv38rsvFD4ZP1zdTi9QBo6rHC5uUL8o7K4NNvwvO/d RPBtdKBhHuls4noPzmuyFxPpUOZqtOt+f3rtTePCStN0KGcuR5S3giRflBE+10lRKnQ0 vjoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=jA6SOzCZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p26-20020a17090635da00b00992a9bdb0e4si2826478ejb.309.2023.07.21.18.41.44; Fri, 21 Jul 2023 18:42:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=jA6SOzCZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231407AbjGVBYL (ORCPT + 99 others); Fri, 21 Jul 2023 21:24:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37286 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231373AbjGVBYB (ORCPT ); Fri, 21 Jul 2023 21:24:01 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2788530C4 for ; Fri, 21 Jul 2023 18:24:00 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id 3f1490d57ef6-d0737b86c45so381085276.2 for ; Fri, 21 Jul 2023 18:24:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1689989039; x=1690593839; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:from:to:cc:subject:date:message-id:reply-to; bh=um0JUlmUESKdJimio+8DNUJWds66RsQougy5ghLTK+M=; b=jA6SOzCZ5JV7gpezuMZaywqy77akcRhAVmKuF6oqtso7tzhrR5MVVK0jfJGHg7rfJb FaPJ742hNwflKbWuQ22IMhyWTrBH4002LLDcFa1S87vsGhPwjHQnYseUqYK6KJ7g2RMc XUGtCCZRZWaTSAPtYDlqRaGN7Dx4oGErykWf4zUhs9BZ46uJlFZh46ZN8QN1Up7cpWj0 W9zo7aSE/D5zytti/7d1f1srapwfpt/aGgQUKvId1yAi0P2UPz1QopjoYVUiZDViSRUZ kOqhG40It9Hg+4Hbnogmc7L/jM3hweiBdcpjXezcVzs4ENU0p4nyRFqVvowFX1ru6cuC TEFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689989039; x=1690593839; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:reply-to:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=um0JUlmUESKdJimio+8DNUJWds66RsQougy5ghLTK+M=; b=DiG9oXEoLyBKWeROj51hPwxpUTg9/L/Q8xvegc0kHINtpkmZyOQlGqHpcNMNzR9+rM PtDlUeSrnwaYW1njN3DIcGbYWWaQi61DsL4oVwpIRBMy/LR2yhnTJ7EbzBxjioUHvO7I haGR/3RLUe7jKXCwg7dNZyOmz8TW4+3ESjLtisEBko5K4+EIH3KI8oRF03JjmZULhPH/ UahoQdkJs2OG6vl3XbYLHuaRlF0IYsW22M9nuS3MkJw2ZOZPJDiZv9gJF/rRfGDxSB+n 7zEcXLRer1NC/nV5QtrUvW4+M856GtWMuxZFeMU3EliJvfQN/58SpEymGxWLbK+lEJWJ Y7Cg== X-Gm-Message-State: ABy/qLYvEa9Cd8+nSTFfVexJ/nrX8V0uwunhho0yefgFwgP8gbUI06CN tw6w22S22HF/W9Vq8mJk/DHYqU5vvdA= X-Received: from zagreus.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:5c37]) (user=seanjc job=sendgmr) by 2002:a25:d6ce:0:b0:c6d:a342:99f1 with SMTP id n197-20020a25d6ce000000b00c6da34299f1mr21928ybg.13.1689989039471; Fri, 21 Jul 2023 18:23:59 -0700 (PDT) Reply-To: Sean Christopherson Date: Fri, 21 Jul 2023 18:23:49 -0700 In-Reply-To: <20230722012350.2371049-1-seanjc@google.com> Mime-Version: 1.0 References: <20230722012350.2371049-1-seanjc@google.com> X-Mailer: git-send-email 2.41.0.487.g6d72f3e995-goog Message-ID: <20230722012350.2371049-5-seanjc@google.com> Subject: [PATCH 4/5] KVM: x86/mmu: Disallow guest from using !visible slots for page tables From: Sean Christopherson To: Sean Christopherson , Paolo Bonzini Cc: kvm@vger.kernel.org, linux-kernel@vger.kernel.org, Reima Ishii Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Explicitly inject a page fault if guest attempts to use a !visible gfn as a page table. kvm_vcpu_gfn_to_hva_prot() will naturally handle the case where there is no memslot, but doesn't catch the scenario where the gfn points at a KVM-internal memslot. Letting the guest backdoor its way into accessing KVM-internal memslots isn't dangerous on its own, e.g. at worst the guest can crash itself, but disallowing the behavior will simplify fixing how KVM handles !visible guest root gfns (immediately synthesizing a triple fault when loading the root is architecturally wrong). Signed-off-by: Sean Christopherson --- arch/x86/kvm/mmu/paging_tmpl.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/kvm/mmu/paging_tmpl.h b/arch/x86/kvm/mmu/paging_tmpl.h index 0662e0278e70..122bfc0124d3 100644 --- a/arch/x86/kvm/mmu/paging_tmpl.h +++ b/arch/x86/kvm/mmu/paging_tmpl.h @@ -351,6 +351,7 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker, ++walker->level; do { + struct kvm_memory_slot *slot; unsigned long host_addr; pt_access = pte_access; @@ -381,7 +382,11 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker, if (unlikely(real_gpa == INVALID_GPA)) return 0; - host_addr = kvm_vcpu_gfn_to_hva_prot(vcpu, gpa_to_gfn(real_gpa), + slot = kvm_vcpu_gfn_to_memslot(vcpu, gpa_to_gfn(real_gpa)); + if (!kvm_is_visible_memslot(slot)) + goto error; + + host_addr = gfn_to_hva_memslot_prot(slot, gpa_to_gfn(real_gpa), &walker->pte_writable[walker->level - 1]); if (unlikely(kvm_is_error_hva(host_addr))) goto error; -- 2.41.0.487.g6d72f3e995-goog