Xen project Mailing List

Re: [PATCH] VT-x: simplify/clarify vmx_load_pdptrs()

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Thu, 18 Jun 2020 12:11:13 +0200

Authentication-results: esa2.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none

Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Kevin Tian <kevin.tian@xxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Jun Nakajima <jun.nakajima@xxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Delivery-date: Thu, 18 Jun 2020 10:11:29 +0000

Ironport-sdr: 4xFnDDohsQfjgZbIbrpl7jJ4JNpxOzlFDDHTpYX4i/kLb4bQRTQl97nvtobJu6d2W4llrfZu5P dGldkYKylSxAwcRr/zFOpdAwIqdXi1jzXBzj7e2PGBYPFvkxxjJsQybhaCcTPYol1njRUhlW4K 5orALwiplwQ2Ni9/vCfN6+PnYa/6PPUJpnUVjhHo8EEEp3tXKR1twaZvhIea1q/2naal7UOn3T p9f7OWseNvZhwzyey3dVf88NmBUtsLk+rz9oAe6kufnDSIcwiQwcfBSTB/u1PVj+RcxQv20KG2 3+0=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, Jun 18, 2020 at 08:38:27AM +0200, Jan Beulich wrote: > * Guests outside of long mode can't have PCID enabled. Drop the > respective check to make more obvious that there's no security issue > (from potentially accessing past the mapped page's boundary). > > * Only the low 32 bits of CR3 are relevant outside of long mode, even > if they remained unchanged after leaving that mode. > > * Drop the unnecessary and badly typed local variable p. > > * Don't open-code hvm_long_mode_active() (and extend this to the related > nested VT-x code). > > * Constify guest_pdptes to clarify that we're only reading from the > page. > > Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> Reviewed-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> As it's no worse that what was there before, yet I have a question. > --- > This is intentionally not addressing any of the other shortcomings of > the function, as was done by the previously posted > https://lists.xenproject.org/archives/html/xen-devel/2018-07/msg01790.html. > This will need to be the subject of a further change. > > --- a/xen/arch/x86/hvm/vmx/vmx.c > +++ b/xen/arch/x86/hvm/vmx/vmx.c > @@ -1312,17 +1312,16 @@ static void vmx_set_interrupt_shadow(str > > static void vmx_load_pdptrs(struct vcpu *v) > { > - unsigned long cr3 = v->arch.hvm.guest_cr[3]; > - uint64_t *guest_pdptes; > + uint32_t cr3 = v->arch.hvm.guest_cr[3]; > + const uint64_t *guest_pdptes; > struct page_info *page; > p2m_type_t p2mt; > - char *p; > > /* EPT needs to load PDPTRS into VMCS for PAE. */ > - if ( !hvm_pae_enabled(v) || (v->arch.hvm.guest_efer & EFER_LMA) ) > + if ( !hvm_pae_enabled(v) || hvm_long_mode_active(v) ) > return; > > - if ( (cr3 & 0x1fUL) && !hvm_pcid_enabled(v) ) > + if ( cr3 & 0x1f ) > goto crash; Intel SDM says bits 0 to 4 are ignored, not reserved, so I'm not sure we need to crash the guest here. I have no reference how real hardware behaves here, so maybe crashing is the right thing to do. > > page = get_page_from_gfn(v->domain, cr3 >> PAGE_SHIFT, &p2mt, > P2M_UNSHARE); > @@ -1332,14 +1331,12 @@ static void vmx_load_pdptrs(struct vcpu > * queue, but this is the wrong place. We're holding at least > * the paging lock */ > gdprintk(XENLOG_ERR, > - "Bad cr3 on load pdptrs gfn %lx type %d\n", > + "Bad cr3 on load pdptrs gfn %"PRIx32" type %d\n", > cr3 >> PAGE_SHIFT, (int) p2mt); > goto crash; > } > > - p = __map_domain_page(page); > - > - guest_pdptes = (uint64_t *)(p + (cr3 & ~PAGE_MASK)); > + guest_pdptes = __map_domain_page(page) + (cr3 & ~PAGE_MASK); Instead I think this could be: guest_pdptes = __map_domain_page(page) + (cr3 & ~(PAGE_MASK | 0x1f)); Thanks, Roger.

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.