From patchwork Sun Dec 18 14:02:49 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Haozhong Zhang X-Patchwork-Id: 9479319 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 3D9F3601C0 for ; Sun, 18 Dec 2016 14:06:33 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1BAEC28526 for ; Sun, 18 Dec 2016 14:06:33 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id F12572852C; Sun, 18 Dec 2016 14:06:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 5604228526 for ; Sun, 18 Dec 2016 14:06:31 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cIc3H-0008Th-KG; Sun, 18 Dec 2016 14:02:59 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1cIc3G-0008Tb-8a for xen-devel@lists.xen.org; Sun, 18 Dec 2016 14:02:58 +0000 Received: from [193.109.254.147] by server-2.bemta-6.messagelabs.com id 57/EC-22326-F0796585; Sun, 18 Dec 2016 14:02:55 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrFIsWRWlGSWpSXmKPExsVywNxEW5dveli Ewec1whZLPi5mcWD0OLr7N1MAYxRrZl5SfkUCa8aEL2tZC/qkK9Y0dTM2MLaLdTFycggJVEqc +ryQGcSWEOCVOLJsBiuEHSzxeNcvli5GLqCaXkaJb5u72LoYOThYBFQlnv+RAqlhE9CXWPH4I Fi9iECGxK2Lc8FsZoE6iSWPL4PNFBawlzgz5SyYzStgIXH2z0YmkJm8Ap8ZJU5eb2SCOKJAYu vTVqgiQYmTM5+wQAyyklj74RkLyF5mAWmJ5f84QMKcAnYShxd+ZQOxRQXUJSY/X846gVFwFpL uWUi6ZyF0Q5iWEquec6KIghRrSzycOJUJwo6RWNrXzbSAkX0Vo0ZxalFZapGuoYleUlFmekZJ bmJmjq6hgZlebmpxcWJ6ak5iUrFecn7uJkZgPDAAwQ7G6xsDDjFKcjApifJOWRsSIcSXlJ9Sm ZFYnBFfVJqTWnyIUYODQ+DKubnTmaRY8vLzUpUkeLdPDYsQEixKTU+tSMvMAUYsTKkEB4+SCG 8WSJq3uCAxtzgzHSJ1ilFRSpxXASQhAJLIKM2Da4MliUuMslLCvIxARwnxFKQW5WaWoMq/YhT nYFQS5i0AmcKTmVcCN/0V0GImoMUW84JBFpckIqSkGhjPprPHxl/kvfpAP+P23/LLjNezLu2Y qtOWnBPRdvZMX0a7h9vhY1Gmwqzss5edf3GLb6Z7lPnPjdxTrgvpzZ67yrVQkv2qmuS9j0xfl Or7i7blVTfcZVIKZjn6Rv+tmHPpj6BHvxju8T77+XvVxvM35ZUN1PV0zxaqf/rzrWP516BCAw WBCbJKLMUZiYZazEXFiQB225jXDQMAAA== X-Env-Sender: haozhong.zhang@intel.com X-Msg-Ref: server-7.tower-27.messagelabs.com!1482069772!73394692!1 X-Originating-IP: [192.55.52.43] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 9.1.1; banners=-,-,- X-VirusChecked: Checked Received: (qmail 3292 invoked from network); 18 Dec 2016 14:02:53 -0000 Received: from mga05.intel.com (HELO mga05.intel.com) (192.55.52.43) by server-7.tower-27.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 18 Dec 2016 14:02:53 -0000 Received: from fmsmga004.fm.intel.com ([10.253.24.48]) by fmsmga105.fm.intel.com with ESMTP; 18 Dec 2016 06:02:51 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.33,369,1477983600"; d="scan'208,223";a="204158948" Received: from hz-desktop.sh.intel.com (HELO localhost) ([10.239.159.148]) by fmsmga004.fm.intel.com with ESMTP; 18 Dec 2016 06:02:49 -0800 Date: Sun, 18 Dec 2016 22:02:49 +0800 From: Haozhong Zhang To: Jan Beulich , Andrew Cooper , xen-devel@lists.xen.org Message-ID: <20161218140249.4eb5udpyftqjd3s7@hz-desktop> Mail-Followup-To: Jan Beulich , Andrew Cooper , xen-devel@lists.xen.org, Jun Nakajima , Kevin Tian , Konrad Rzeszutek Wilk References: <20161214101145.11171-1-haozhong.zhang@intel.com> <20161214101145.11171-4-haozhong.zhang@intel.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20161214101145.11171-4-haozhong.zhang@intel.com> User-Agent: Mutt/1.6.2-neo (2016-08-21) Cc: Kevin Tian , Jun Nakajima Subject: Re: [Xen-devel] [PATCH v2 3/4] vvmx: check the operand of L1 vmxon X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP On 12/14/16 18:11 +0800, Haozhong Zhang wrote: >Check whether the operand of L1 vmxon is a valid VMXON region address >and whether the VMXON region at that address contains a valid revision >ID. > >Signed-off-by: Haozhong Zhang >Reviewed-by: Andrew Cooper >Reviewed-by: Konrad Rzeszutek Wilk >Acked-by: Kevin Tian >--- > xen/arch/x86/hvm/vmx/vvmx.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > >diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c >index e765b60..5523146 100644 >--- a/xen/arch/x86/hvm/vmx/vvmx.c >+++ b/xen/arch/x86/hvm/vmx/vvmx.c >@@ -1383,6 +1383,7 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs) > struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); > struct vmx_inst_decoded decode; > unsigned long gpa = 0; >+ uint32_t nvmcs_revid; > int rc; > > rc = decode_vmx_inst(regs, &decode, &gpa, 1); >@@ -1397,6 +1398,21 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs) > return X86EMUL_OKAY; > } > >+ if ( (gpa & ~PAGE_MASK) || (gpa >> v->domain->arch.paging.gfn_bits) ) ^^^^^^^^ I mistaken it as the number of valid bits of physical address and therefore missed adding PAGE_SHIFT here. The correct patch should be the one attached. I notice the wrong patch has been in the staging branch, so should I send a patch(set) to fix my mistake on the staging branch? Thanks, Haozhong From 809cf1ee317527d2eb8c2d8bac3be46b4d446b63 Mon Sep 17 00:00:00 2001 From: Haozhong Zhang Date: Tue, 13 Dec 2016 19:49:48 +0800 Subject: [RESEND PATCH v2 3/5] vvmx: check the operand of L1 vmxon Check whether the operand of L1 vmxon is a valid VMXON region address and whether the VMXON region at that address contains a valid revision ID. Signed-off-by: Haozhong Zhang --- xen/arch/x86/hvm/vmx/vvmx.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/xen/arch/x86/hvm/vmx/vvmx.c b/xen/arch/x86/hvm/vmx/vvmx.c index e765b60..a1f8e16 100644 --- a/xen/arch/x86/hvm/vmx/vvmx.c +++ b/xen/arch/x86/hvm/vmx/vvmx.c @@ -1383,6 +1383,7 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs) struct nestedvcpu *nvcpu = &vcpu_nestedhvm(v); struct vmx_inst_decoded decode; unsigned long gpa = 0; + uint32_t nvmcs_revid; int rc; rc = decode_vmx_inst(regs, &decode, &gpa, 1); @@ -1397,6 +1398,22 @@ int nvmx_handle_vmxon(struct cpu_user_regs *regs) return X86EMUL_OKAY; } + if ( (gpa & ~PAGE_MASK) || + (gpa >> (v->domain->arch.paging.gfn_bits + PAGE_SHIFT)) ) + { + vmreturn(regs, VMFAIL_INVALID); + return X86EMUL_OKAY; + } + + rc = hvm_copy_from_guest_phys(&nvmcs_revid, gpa, sizeof(nvmcs_revid)); + if ( rc != HVMCOPY_okay || + (nvmcs_revid & ~VMX_BASIC_REVISION_MASK) || + ((nvmcs_revid ^ vmx_basic_msr) & VMX_BASIC_REVISION_MASK) ) + { + vmreturn(regs, VMFAIL_INVALID); + return X86EMUL_OKAY; + } + nvmx->vmxon_region_pa = gpa; /* -- 2.10.1