| Message ID | 20230315195109.580333-1-d-tatianin@yandex-team.ru (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | kvm/x86: actually verify that reading MSR_IA32_UCODE_REV succeeds | expand |
On Wed, Mar 15, 2023, Daniil Tatianin wrote: > ...and return KVM_MSR_RET_INVALID otherwise. > > Found by Linux Verification Center (linuxtesting.org) with the SVACE > static analysis tool. > > Fixes: cd28325249a1 ("KVM: VMX: support MSR_IA32_ARCH_CAPABILITIES as a feature MSR") > Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru> > --- > arch/x86/kvm/x86.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c > index 7713420abab0..7de6939fc371 100644 > --- a/arch/x86/kvm/x86.c > +++ b/arch/x86/kvm/x86.c > @@ -1661,7 +1661,8 @@ static int kvm_get_msr_feature(struct kvm_msr_entry *msr) > msr->data = kvm_caps.supported_perf_cap; > break; > case MSR_IA32_UCODE_REV: > - rdmsrl_safe(msr->index, &msr->data); > + if (rdmsrl_safe(msr->index, &msr->data)) > + return KVM_MSR_RET_INVALID; This is unnecessary and would arguably break KVM's ABI. KVM unconditionally emulates MSR_IA32_UCODE_REV in software and rdmsrl_safe() zeros the result on a fault (see ex_handler_msr()). '0' is a legitimate ucode revid and a reasonable fallback for a theoretical (virtual) CPU that doesn't support the MSR.
On 3/15/23 11:16 PM, Sean Christopherson wrote: > On Wed, Mar 15, 2023, Daniil Tatianin wrote: >> ...and return KVM_MSR_RET_INVALID otherwise. >> >> Found by Linux Verification Center (linuxtesting.org) with the SVACE >> static analysis tool. >> >> Fixes: cd28325249a1 ("KVM: VMX: support MSR_IA32_ARCH_CAPABILITIES as a feature MSR") >> Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru> >> --- >> arch/x86/kvm/x86.c | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c >> index 7713420abab0..7de6939fc371 100644 >> --- a/arch/x86/kvm/x86.c >> +++ b/arch/x86/kvm/x86.c >> @@ -1661,7 +1661,8 @@ static int kvm_get_msr_feature(struct kvm_msr_entry *msr) >> msr->data = kvm_caps.supported_perf_cap; >> break; >> case MSR_IA32_UCODE_REV: >> - rdmsrl_safe(msr->index, &msr->data); >> + if (rdmsrl_safe(msr->index, &msr->data)) >> + return KVM_MSR_RET_INVALID; > > This is unnecessary and would arguably break KVM's ABI. KVM unconditionally emulates > MSR_IA32_UCODE_REV in software and rdmsrl_safe() zeros the result on a fault (see > ex_handler_msr()). '0' is a legitimate ucode revid and a reasonable fallback for > a theoretical (virtual) CPU that doesn't support the MSR. I see, thanks for the explanation!
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 7713420abab0..7de6939fc371 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1661,7 +1661,8 @@ static int kvm_get_msr_feature(struct kvm_msr_entry *msr) msr->data = kvm_caps.supported_perf_cap; break; case MSR_IA32_UCODE_REV: - rdmsrl_safe(msr->index, &msr->data); + if (rdmsrl_safe(msr->index, &msr->data)) + return KVM_MSR_RET_INVALID; break; default: return static_call(kvm_x86_get_msr_feature)(msr);
...and return KVM_MSR_RET_INVALID otherwise. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Fixes: cd28325249a1 ("KVM: VMX: support MSR_IA32_ARCH_CAPABILITIES as a feature MSR") Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru> --- arch/x86/kvm/x86.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)