Re: [PATCH] KVM: nVMX: Prevent vmlaunch with EPTP pointing outside assigned memory area

From: Sean Christopherson
Date: Fri Jun 30 2023 - 11:37:15 EST

Next message: James Clark: "[PATCH] perf symbol: Fix uninitialized return value in symbols__find_by_name()"
Previous message: syzbot: "[syzbot] [selinux?] [reiserfs?] KASAN: wild-memory-access Read in inode_doinit_with_dentry"
In reply to: Yuan Yao: "Re: [PATCH] KVM: nVMX: Prevent vmlaunch with EPTP pointing outside assigned memory area"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Jun 30, 2023, Yuan Yao wrote:
> On Thu, Jun 29, 2023 at 01:30:31PM -0700, Sean Christopherson wrote:
> > @@ -3834,8 +3822,8 @@ static int mmu_alloc_shadow_roots(struct kvm_vcpu *vcpu)
> > if (!(pdptrs[i] & PT_PRESENT_MASK))
> > continue;
> >
> > - if (mmu_check_root(vcpu, pdptrs[i] >> PAGE_SHIFT))
> > - return 1;
> > + if (kvm_vcpu_is_visible_gfn(vcpu, pdptrs[i] >> PAGE_SHIFT))
> > + pdptrs[i] = 0;
>
> Hi Sean,
>
> Should this be "!kvm_vcpu_is_visible_gfn(vcpu, pdptrs[i] >> PAGE_SHIFT)" and

Yep, typo that inverted the check. Thanks for saving me some debug time!

> turn the pae_root[i] to dummy root yet ?

No, zeroing the PDPTR is sufficient. Unlike CR3, which is always "present", PDPTRs
have a present bit and so KVM can communicate to hardware that the entry isn't
valid simply by clearing the PDPTPR.

Next message: James Clark: "[PATCH] perf symbol: Fix uninitialized return value in symbols__find_by_name()"
Previous message: syzbot: "[syzbot] [selinux?] [reiserfs?] KASAN: wild-memory-access Read in inode_doinit_with_dentry"
In reply to: Yuan Yao: "Re: [PATCH] KVM: nVMX: Prevent vmlaunch with EPTP pointing outside assigned memory area"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]