Re: [PATCH] kvm/x86/mmu: use the correct inherited permissions to get shadow page

[Paolo Bonzini]

On 30/11/20 18:41, Sean Christopherson wrote:
> > pmd1 and pmd2 point to the same pte table, so:
> > ptr1 and ptr3 points to the same page.
> > ptr2 and ptr4 points to the same page.
> >
> >    The guess read-accesses to ptr1 first. So the hypervisor gets the
> > shadow pte page table with role.access=u-- among other things.
> >     (Note the shadowed pmd1's access is uwx)
> >
> >    And then the guest write-accesses to ptr2, and the hypervisor
> > set up shadow page for ptr2.
> >     (Note the hypervisor silencely accepts the role.access=u--
> >      shadow pte page table in FNAME(fetch))
> >
> >    After that, the guess read-accesses to ptr3, the hypervisor
> > reused the same shadow pte page table as above.
> >
> >    At last, the guest writes to ptr4 without vmexit nor pagefault,
> > Which should cause vmexit as the guest expects.
>
> Hmm, yes, KVM would incorrectly handle this scenario.  But, the proposed patch
> would not address the issue as KVM always maps non-leaf shadow pages with full
> access permissions.

Can we have a testcase in kvm-unit-tests?  It's okay of course if it 
only fails with ept=0.

Paolo