On 11/05/2017 09:42, Dan Carpenter wrote: > On Thu, May 11, 2017 at 09:31:17AM +0200, Paolo Bonzini wrote: >> >> >> On 10/05/2017 22:43, Dan Carpenter wrote: >>> There are PML_ENTITY_NUM elements in the pml_address[] array so the > >>> should be >= or we write beyond the end of the array when we do: >>> >>> pml_address[vmcs12->guest_pml_index--] = gpa; >>> >>> This causes a static checker warning but the runtime impact is minimal. >>> The ->guest_pml_index variable can only be set to PML_ENTITY_NUM by a >>> buggy hypervisor. >> >> The v1 commit message is better actually. You can always replace >> "buggy" with "malicious". > > Can't the hypervisor already basically do what it wants? Here you have a nested hypervisor, that can force the host hypervisor to do a kmap and write at offset 4096 inside (well, actually outside...) that kmap. Paolo
