Xen project Mailing List

Re: [Xen-devel] [PATCH v3] x86emul/fuzz: add a state sanity checking function

From: "Jan Beulich" <JBeulich@xxxxxxxx>

Date: Mon, 27 May 2019 05:41:44 -0600

Cc: George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>

Delivery-date: Mon, 27 May 2019 11:41:51 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

>>> On 27.05.19 at 12:51, <george.dunlap@xxxxxxxxxx> wrote: > On 4/2/19 2:01 PM, Jan Beulich wrote: >> This is to accompany sanitize_input(). Just like for initial state we >> want to have state between two emulated insns sane, at least as far as >> assumptions in the main emulator go. Do minimal checking after segment >> register, CR, and MSR writes, and roll back to the old value in case of >> failure (raising #GP(0) at the same time). >> >> In the particular case observed, a CR0 write clearing CR0.PE was >> followed by a VEX-encoded insn, which the decoder accepts based on >> guest address size, restricting things just outside of the 64-bit case >> (real and virtual modes don't allow VEX-encoded insns). Subsequently >> _get_fpu() would then assert that CR0.PE must be set (and EFLAGS.VM >> clear) when trying to invoke YMM, ZMM, or OPMASK state. >> >> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> > > Reviewed-by: George Dunlap <george.dunlap@xxxxxxxxxx> Thanks. > That said, I wonder if there's a way to avoid the duplication between > sanitize_input() and check_state(). Another option would be to rework > sanitize_input() (perhaps as sanizite_state()): > * Accept a parameter saying whether to do optional changes (like > CANONICALIZE_MAYBE) > * Return a boolean saying whether any state was in fact sanitized. > > Then the current callers of check_state() could instead call > sanitize_state(), and throw an exception if it returns 1. (Or some > variation thereof.) I did consider this at the time, but the two functions aren't doing exactly the same validation. For example this /* EFLAGS.VM not available in long mode */ if ( long_mode_active(ctxt) ) regs->rflags &= ~X86_EFLAGS_VM; has no equivalent in check_state(), for it being an emulator bug to ever set EFLAGS.VM in long mode. I therefore thought it would be better to keep them separate despite there being partial redundancy. If the set of checks grows, we could consider factoring out the common subset into a helper function. Jan _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.