On Wed, Jun 05, 2019 at 10:57:29PM +0300, Eugene Korenevsky wrote:
> Intel SDM vol. 3, 5.3:
> The processor causes a
> general-protection exception (or, if the segment is SS, a stack-fault
> exception) any time an attempt is made to access the following addresses
> in a segment:
> - A byte at an offset greater than the effective limit
> - A word at an offset greater than the (effective-limit – 1)
> - A doubleword at an offset greater than the (effective-limit – 3)
> - A quadword at an offset greater than the (effective-limit – 7)
>
> Therefore, the generic limit checking error condition must be
>
> exn = (off > limit + 1 - access_len) = (off + access_len - 1 > limit)
>
> but not
>
> exn = (off + access_len > limit)
>
> as for now.
>
> Note: access length is incorrectly set to sizeof(u64). This will be fixed in
> the subsequent patch.
>
> Signed-off-by: Eugene Korenevsky <ekorenevsky@xxxxxxxxx>
> ---
> Changes in v3 since v2: fixed limit checking condition to avoid underflow;
> added note
>
> arch/x86/kvm/vmx/nested.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/kvm/vmx/nested.c b/arch/x86/kvm/vmx/nested.c
> index f1a69117ac0f..93df72597c72 100644
> --- a/arch/x86/kvm/vmx/nested.c
> +++ b/arch/x86/kvm/vmx/nested.c
> @@ -4115,7 +4115,7 @@ int get_vmx_mem_address(struct kvm_vcpu *vcpu, unsigned long exit_qualification,
> */
> if (!(s.base == 0 && s.limit == 0xffffffff &&
> ((s.type & 8) || !(s.type & 4))))
> - exn = exn || (off + sizeof(u64) > s.limit);
> + exn = exn || (off + sizeof(u64) - 1 > s.limit);
This still has a wrap bug in 32-bit KVM, e.g. off == 0xffffffff will
incorrectly pass the limit check due to wrapping its unsigned long.
> }
> if (exn) {
> kvm_queue_exception_e(vcpu,
> --
> 2.21.0
>
