Re: [PATCH 1/2] KVM: SVM: Fix workaround for AMD Errata 1096

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


> On 16 Jul 2019, at 18:56, Liran Alon <liran.alon@xxxxxxxxxx> wrote:
> 
> 
> 
>> On 16 Jul 2019, at 18:48, Singh, Brijesh <brijesh.singh@xxxxxxx> wrote:
>> 
>> On 7/15/19 3:30 PM, Liran Alon wrote:
>>> According to AMD Errata 1096:
>>> "On a nested data page fault when CR4.SMAP = 1 and the guest data read generates a SMAP violation, the
>>> GuestInstrBytes field of the VMCB on a VMEXIT will incorrectly return 0h instead the correct guest instruction
>>> bytes."
>>> 
>>> As stated above, errata is encountered when guest read generates a SMAP violation. i.e. vCPU runs
>>> with CPL<3 and CR4.SMAP=1. However, code have mistakenly checked if CPL==3 and CR4.SMAP==0.
>>> 
>> 
>> The SMAP violation will occur from CPL3 so CPL==3 is a valid check.
>> 
>> See [1] for complete discussion
>> 
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__patchwork.kernel.org_patch_10808075_-2322479271&d=DwIGaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=Jk6Q8nNzkQ6LJ6g42qARkg6ryIDGQr-yKXPNGZbpTx0&m=RAt8t8nBaCxUPy5OTDkO0n8BMQ5l9oSfLMiL0TLTu6c&s=Nkwe8rTJhygBCIPz27LXrylptjnWyMwB-nJaiowWpWc&e= 
> 
> I still don’t understand. SMAP is a mechanism which is meant to protect a CPU running in CPL<3 from mistakenly referencing data controllable by CPL==3.
> Therefore, SMAP violation should be raised when CPL<3 and data referenced is mapped in page-tables with PTE with U/S bit set to 1. (i.e. User accessible).
> 
> Thus, we should check if CPL<3 and CR4.SMAP==1.
> 
> -Liran
> 

To clarify, I would assume that to simulate this Errata we should perform the following:
1) Guest maps code in page-tables as user-accessible (i.e. PTE with U/S bit set to 1).
2) Guest executes this code with CPL<3 (even though mapped as user-accessible which is a security vulnerability in itself…) which access data that is not mapped or marked as reserved in NPT and therefore cause #NPF.
3) Physical CPU DecodeAssist feature attempts to fill-in guest instruction bytes. So it reads as data the guest instructions while CPU is currently with CPL<3, CR4.SMAP=1 and code is mapped as user-accessible. Therefore, this fill-in raise a SMAP violation which cause #NPF to be raised to KVM with 0 instruction bytes.

Am I mistaken in my analysis?

-Liran
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux