| Message ID | 20170117135104.145739-1-dvyukov@google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
2017-01-17 14:51+0100, Dmitry Vyukov: > emulator_fix_hypercall() replaces hypercall with vmcall instruction, > but it does not handle GP exception properly when writes the new instruction. > It can return X86EMUL_PROPAGATE_FAULT without setting exception information. > This leads to incorrect emulation and triggers > WARN_ON(ctxt->exception.vector > 0x1f) in x86_emulate_insn() > as discovered by syzkaller fuzzer: > > WARNING: CPU: 2 PID: 18646 at arch/x86/kvm/emulate.c:5558 > Call Trace: > warn_slowpath_null+0x2c/0x40 kernel/panic.c:582 > x86_emulate_insn+0x16a5/0x4090 arch/x86/kvm/emulate.c:5572 > x86_emulate_instruction+0x403/0x1cc0 arch/x86/kvm/x86.c:5618 > emulate_instruction arch/x86/include/asm/kvm_host.h:1127 [inline] > handle_exception+0x594/0xfd0 arch/x86/kvm/vmx.c:5762 > vmx_handle_exit+0x2b7/0x38b0 arch/x86/kvm/vmx.c:8625 > vcpu_enter_guest arch/x86/kvm/x86.c:6888 [inline] > vcpu_run arch/x86/kvm/x86.c:6947 [inline] > > Set exception information when write in emulator_fix_hypercall() fails. > > Signed-off-by: Dmitry Vyukov <dvyukov@google.com> > Cc: Paolo Bonzini <pbonzini@redhat.com> > Cc: Radim Krčmář <rkrcmar@redhat.com> > Cc: Wanpeng Li <wanpeng.li@hotmail.com> > Cc: kvm@vger.kernel.org > Cc: syzkaller@googlegroups.com > --- Applied to kvm/master, thanks. -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index 57d8a856cdc5..d153be8929a6 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -6171,7 +6171,8 @@ static int emulator_fix_hypercall(struct x86_emulate_ctxt *ctxt) kvm_x86_ops->patch_hypercall(vcpu, instruction); - return emulator_write_emulated(ctxt, rip, instruction, 3, NULL); + return emulator_write_emulated(ctxt, rip, instruction, 3, + &ctxt->exception); } static int dm_request_for_irq_injection(struct kvm_vcpu *vcpu)
emulator_fix_hypercall() replaces hypercall with vmcall instruction, but it does not handle GP exception properly when writes the new instruction. It can return X86EMUL_PROPAGATE_FAULT without setting exception information. This leads to incorrect emulation and triggers WARN_ON(ctxt->exception.vector > 0x1f) in x86_emulate_insn() as discovered by syzkaller fuzzer: WARNING: CPU: 2 PID: 18646 at arch/x86/kvm/emulate.c:5558 Call Trace: warn_slowpath_null+0x2c/0x40 kernel/panic.c:582 x86_emulate_insn+0x16a5/0x4090 arch/x86/kvm/emulate.c:5572 x86_emulate_instruction+0x403/0x1cc0 arch/x86/kvm/x86.c:5618 emulate_instruction arch/x86/include/asm/kvm_host.h:1127 [inline] handle_exception+0x594/0xfd0 arch/x86/kvm/vmx.c:5762 vmx_handle_exit+0x2b7/0x38b0 arch/x86/kvm/vmx.c:8625 vcpu_enter_guest arch/x86/kvm/x86.c:6888 [inline] vcpu_run arch/x86/kvm/x86.c:6947 [inline] Set exception information when write in emulator_fix_hypercall() fails. Signed-off-by: Dmitry Vyukov <dvyukov@google.com> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Radim Krčmář <rkrcmar@redhat.com> Cc: Wanpeng Li <wanpeng.li@hotmail.com> Cc: kvm@vger.kernel.org Cc: syzkaller@googlegroups.com --- arch/x86/kvm/x86.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)