2017-12-05 19:24 GMT+08:00 Quan Xu <quan.xu0@xxxxxxxxx>: > > > On 2017/12/05 01:10, Jim Mattson wrote: >> >> Google has carried this patch since long before my time. I would >> suggest modifying the kvm-unit-test to (a) unroll the loop ~1000 >> times, and (b) execute out to port 0x80 from ~64 vcpu threads in >> parallel. > > > Jim, could you reproduce it on all of your machine types? > I can't reproduce it on 2 types of my machine.. btw, it is not a good idle > to > open reproduction here:(.. My fault, however, luckily, we still can't reproduce by the method which Jim pointed out. :) Regards, Wanpeng Li > > I do believe you can reproduce on you machine. could you have a try: > without guest, flood 80 port with writes in host kernel.. does it lead to a > crash? > if host kernel crash, does it a machine hardware issue, kernel issue, or > both? > > > Quan > Alibaba Cloud > > > >> On Mon, Dec 4, 2017 at 4:44 AM, Wanpeng Li <kernellwp@xxxxxxxxx> wrote: >>> >>> Hi Jim, >>> 2017-12-02 2:21 GMT+08:00 Jim Mattson <jmattson@xxxxxxxxxx>: >>>> >>>> From: Andrew Honig <ahonig@xxxxxxxxxx> >>>> >>>> This fixes CVE-2017-1000407. >>> >>> Do you observe a real issue on recent Intel boxes? In addition, how to >>> reproduce? Actually there is a testcase in kvm-unit-tests which can >>> run 10 million times ioport 0x80 write and I didn't observe any issue >>> before. :) >>> >>> Regards, >>> Wanpeng Li >>> >>>> KVM allows guests to directly access I/O port 0x80 on Intel hosts. If >>>> the guest floods this port with writes it generates exceptions and >>>> instability in the host kernel, leading to a crash. With this change >>>> guest writes to port 0x80 on Intel will behave the same as they >>>> currently behave on AMD systems. >>>> >>>> Prevent the flooding by removing the code that sets port 0x80 as a >>>> passthrough port. This is essentially the same as upstream patch >>>> 99f85a28a78e96d28907fe036e1671a218fee597, except that patch was >>>> for AMD chipsets and this patch is for Intel. >>>> >>>> Signed-off-by: Andrew Honig <ahonig@xxxxxxxxxx> >>>> Signed-off-by: Jim Mattson <jmattson@xxxxxxxxxx> >>>> --- >>>> arch/x86/kvm/vmx.c | 5 ----- >>>> 1 file changed, 5 deletions(-) >>>> >>>> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c >>>> index d2b452d66363..d16abd1808eb 100644 >>>> --- a/arch/x86/kvm/vmx.c >>>> +++ b/arch/x86/kvm/vmx.c >>>> @@ -6753,12 +6753,7 @@ static __init int hardware_setup(void) >>>> memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE); >>>> memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE); >>>> >>>> - /* >>>> - * Allow direct access to the PC debug port (it is often used >>>> for I/O >>>> - * delays, but the vmexits simply slow things down). >>>> - */ >>>> memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE); >>>> - clear_bit(0x80, vmx_io_bitmap_a); >>>> >>>> memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE); >>>> >>>> -- >>>> 2.15.0.531.g2ccb3012c9-goog >>>> >
