Re: [PATCH 07/22] KVM: nVMX: Verify VMCS shadowing VMCS link pointer

Radim Krčmář <rkrcmar@xxxxxxxxxx> · Wed, 27 Jun 2018 17:55:07 +0200

2018-06-23 02:35+0300, Liran Alon:
> Intel SDM considers these checks to be part of
> "Checks on Guest Non-Register State".
> 
> Note that it is legal for vmcs->vmcs_link_pointer to be -1ull
> when VMCS shadowing is enabled. In this case, any VMREAD/VMWRITE to
> shadowed-field sets the ALU flags for VMfailInvalid (i.e. CF=1).
> 
> Signed-off-by: Liran Alon <liran.alon@xxxxxxxxxx>
> Signed-off-by: Jim Mattson <jmattson@xxxxxxxxxx>
> ---
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> @@ -11658,6 +11658,33 @@ static int check_vmentry_prereqs(struct kvm_vcpu *vcpu, struct vmcs12 *vmcs12)
>  	return 0;
>  }
>  
> +static int nested_vmx_check_vmcs_link_ptr(struct kvm_vcpu *vcpu,
> +					  struct vmcs12 *vmcs12)
> +{
> +	int r;
> +	struct page *page;
> +	struct vmcs12 *shadow;
> +
> +	if (vmcs12->vmcs_link_pointer == -1ull)
> +		return 0;
> +
> +	if (!page_address_valid(vcpu, vmcs12->vmcs_link_pointer))
> +		return -EINVAL;
> +
> +	page = kvm_vcpu_gpa_to_page(vcpu, vmcs12->vmcs_link_pointer);
> +	if (is_error_page(page))
> +		return -EINVAL;
> +
> +	r = 0;
> +	shadow = kmap(page);
> +	if (shadow->hdr.revision_id != VMCS12_REVISION ||
> +	    shadow->hdr.shadow_vmcs != nested_cpu_has_shadow_vmcs(vmcs12))
> +		r = -EINVAL;
> +	kunmap(page);
> +	kvm_release_page_clean(page);

We don't need to check the executive VMCS because the feature is not
exposed, but I think that checking that the linked vmcs is not the
current vmcs should still be done.