Re: [PATCH v3 49/75] x86/sev-es: Handle instruction fetches from user-space

Borislav Petkov <bp@xxxxxxxxx> · Sat, 23 May 2020 11:23:51 +0200

On Tue, Apr 28, 2020 at 05:16:59PM +0200, Joerg Roedel wrote:
> From: Joerg Roedel <jroedel@xxxxxxx>
> 
> When a #VC exception is triggered by user-space the instruction decoder
> needs to read the instruction bytes from user addresses.  Enhance
> vc_decode_insn() to safely fetch kernel and user instructions.
> 
> Signed-off-by: Joerg Roedel <jroedel@xxxxxxx>
> ---
>  arch/x86/kernel/sev-es.c | 31 ++++++++++++++++++++++---------
>  1 file changed, 22 insertions(+), 9 deletions(-)
> 
> diff --git a/arch/x86/kernel/sev-es.c b/arch/x86/kernel/sev-es.c
> index 85027fb4177e..c2223c2a28c2 100644
> --- a/arch/x86/kernel/sev-es.c
> +++ b/arch/x86/kernel/sev-es.c
> @@ -165,17 +165,30 @@ static enum es_result vc_decode_insn(struct es_em_ctxt *ctxt)
>  	enum es_result ret;
>  	int res;
>  
> -	res = vc_fetch_insn_kernel(ctxt, buffer);
> -	if (unlikely(res == -EFAULT)) {

Let's also test for 0 in case the probe_read* guts get changed and start
returning so other errval besides -EFAULT.

> -		ctxt->fi.vector     = X86_TRAP_PF;
> -		ctxt->fi.error_code = 0;
> -		ctxt->fi.cr2        = ctxt->regs->ip;
> -		return ES_EXCEPTION;
> +	if (!user_mode(ctxt->regs)) {

Flip that check so that it reads more naturally:

	if (user_mode(..)
			insn_fetch_from_user()

		...
	} else {
		vc_fetch_insn_kernel()

	}

> +		res = vc_fetch_insn_kernel(ctxt, buffer);

> +		if (unlikely(res == -EFAULT)) {
> +			ctxt->fi.vector     = X86_TRAP_PF;
> +			ctxt->fi.error_code = 0;
> +			ctxt->fi.cr2        = ctxt->regs->ip;
> +			return ES_EXCEPTION;
> +		}
> +
> +		insn_init(&ctxt->insn, buffer, MAX_INSN_SIZE - res, 1);
> +		insn_get_length(&ctxt->insn);
> +	} else {
> +		res = insn_fetch_from_user(ctxt->regs, buffer);
> +		if (res == 0) {

		if (!res)

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette