[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v1 1/2] x86/vvmx: check vmcs address in vmread/vmwrite

On Wed, 2017-03-01 at 07:04 -0700, Jan Beulich wrote:
> > > > On 01.03.17 at 14:44, <sergey.dyasli@xxxxxxxxxx> wrote:
> > 
> > On Wed, 2017-03-01 at 05:55 -0700, Jan Beulich wrote:
> > > > > > On 01.03.17 at 10:13, <sergey.dyasli@xxxxxxxxxx> wrote:
> > > > 
> > > > If nested vmcs's address is invalid, virtual_vmcs_enter() will fail
> > > > during vmread/vmwrite:
> > > > 
> > > > (XEN) Xen BUG at .../git/upstream/xen/xen/include/asm/hvm/vmx/vmx.h:333
> > > > (XEN) ----[ Xen-4.9-unstable  x86_64  debug=y   Tainted:    H ]----
> > > > (XEN) Xen call trace:
> > > > (XEN)    [<ffff82d0801f925e>] 
> > > > vmcs.c#arch/x86/hvm/vmx/vmcs.o.unlikely+0x28/0x19a
> > > > (XEN)    [<ffff82d0801f60e3>] virtual_vmcs_vmwrite_safe+0x16/0x52
> > > > (XEN)    [<ffff82d080202cb2>] nvmx_handle_vmwrite+0x70/0xfe
> > > > (XEN)    [<ffff82d0801fe98a>] vmx_vmexit_handler+0x1379/0x1c49
> > > > (XEN)    [<ffff82d08020427c>] vmx_asm_vmexit_handler+0x3c/0x120
> > > > 
> > > > Fix this by emulating VMfailInvalid if the address is invalid.
> > > 
> > > So just like in patch 2 this is __vmptrld() not properly dealing with
> > > errors. Instead of doing checks in software which hardware does
> > > anyway, wouldn't it be better to introduce (and use here and
> > > there) vmptrld_safe()?
> > 
> > Currently it's assumed that virtual_vmcs_enter/exit() never fail.
> > It's easy to maintain that assumption with one simple check:
> > 
> >     nv_vvmcxaddr != INVALID_PADDR
> > 
> > as long as nvmx_handle_vmptrld() correctly checks the validity of
> > provided pointer.
> 
> Yet even more safe would be to avoid the check here and simply
> properly check and convey the instruction results.

In the future it should be possible to limit (level) the set of VMX
features provided to the guest.  One example would be VMCS shadowing.
In such cases checks mustn't be done by H/W since it can be different.

> > Additionally, it would be painful to return the correct error value
> > all the way back to nvmx_handle_vmptrld().
> 
> Surely that's at best relevant in the other patch. Here you're in
> virtual_vmcs_vmwrite_safe(), which already knows how to
> communicate back an error indicator.

How checking the return value of virtual_vmcs_enter() is different
from checking nv_vvmcxaddr?

-- 
Thanks,
Sergey
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.