2017-12-05 8:28 GMT+08:00 Jim Mattson <jmattson@xxxxxxxxxx>:
> That seems like a convoluted path to produce an illegal RFLAGS value.
> What's to prevent syzkaller from simply clearing bit 1 of RFLAGS with
> the KVM_SET_REGS ioctl?
Yeah, it can happen. Which do you prefer, ioctl fails or |
X86_EFLAGS_FIXED unconditionally in the ioctl handler in kvm?
Regards,
Wanpeng Li
>
> On Mon, Nov 20, 2017 at 4:34 PM, Wanpeng Li <kernellwp@xxxxxxxxx> wrote:
>> 2017-11-21 7:09 GMT+08:00 Paolo Bonzini <pbonzini@xxxxxxxxxx>:
>>> On 20/11/2017 23:52, Wanpeng Li wrote:
>>>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
>>>> index b348920..131fa1c 100644
>>>> --- a/arch/x86/kvm/vmx.c
>>>> +++ b/arch/x86/kvm/vmx.c
>>>> @@ -5590,6 +5590,7 @@ static void vmx_vcpu_reset(struct kvm_vcpu *vcpu, bool init_event)
>>>> vmcs_write64(GUEST_IA32_DEBUGCTL, 0);
>>>> }
>>>>
>>>> + kvm_set_rflags(vcpu, 2);
>>>> vmcs_writel(GUEST_RFLAGS, 0x02);
>>>
>>> I think the vmcs_writel can go, kvm_set_rflags ends up calling
>>> vmx_set_rflags.
>>
>> Agreed.
>>
>>>
>>>> kvm_rip_write(vcpu, 0xfff0);
>>>>
>>>>
>>>
>>> Beautified testcase:
>>>
>>> #include <unistd.h>
>>> #include <sys/syscall.h>
>>> #include <string.h>
>>> #include <stdint.h>
>>> #include <linux/kvm.h>
>>> #include <fcntl.h>
>>> #include <sys/ioctl.h>
>>>
>>> long r[5];
>>> int main()
>>> {
>>> struct kvm_debugregs dr = { 0 };
>>>
>>> r[2] = open("/dev/kvm", O_RDONLY);
>>> r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
>>> r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);
>>> struct kvm_guest_debug debug = {
>>> .control = 0xf0403,
>>> .arch = {
>>> .debugreg[6] = 0x2,
>>> .debugreg[7] = 0x2
>>> }
>>> };
>>> ioctl(r[4], KVM_SET_GUEST_DEBUG, &debug);
>>> ioctl(r[4], KVM_RUN, 0);
>>> }
>>>
>>> No need to do anything, I'll handle this patch after -rc1.
>>
>> Thanks for that. :)
>>
>> Regards,
>> Wanpeng Li
