On Thu, Jul 9, 2020 at 10:25 AM Paolo Bonzini <pbonzini@xxxxxxxxxx> wrote: > > On 09/07/20 19:12, Jim Mattson wrote: > >> + > >> + /* The processor ignores EFER.LMA, but svm_set_efer needs it. */ > >> + efer &= ~EFER_LMA; > >> + if ((nested_vmcb->save.cr0 & X86_CR0_PG) > >> + && (nested_vmcb->save.cr4 & X86_CR4_PAE) > >> + && (efer & EFER_LME)) > >> + efer |= EFER_LMA; > > The CR4.PAE check is unnecessary, isn't it? The combination CR0.PG=1, > > EFER.LMA=1, and CR4.PAE=0 is not a legal processor state. Oops, I meant EFER.LME above. Krish pointed out that I was quoting from Intel's documentation. The same constraints are covered in Table 14-5 of AMD's APM, volume 2. > Yeah, I was being a bit cautious because this is the nested VMCB and it > can be filled in with invalid state, but indeed that condition was added > just yesterday by myself in nested_vmcb_checks (while reviewing Krish's > CR0/CR3/CR4 reserved bit check series). >From Canonicalization and Consistency Checks of section 15.5 in AMD's APM, volume 2: The following conditions are considered illegal state combinations: ... EFER.LME and CR0.PG are both set and CR4.PAE is zero. This VMCB state should result in an immediate #VMEXIT with exit code -1. > That said, the VMCB here is guest memory and it can change under our > feet between nested_vmcb_checks and nested_prepare_vmcb_save. Copying > the whole save area is overkill, but we probably should copy at least > EFER/CR0/CR3/CR4 in a struct at the beginning of nested_svm_vmrun; this > way there'd be no TOC/TOU issues between nested_vmcb_checks and > nested_svm_vmrun. This would also make it easier to reuse the checks in > svm_set_nested_state. Maybe Maxim can look at it while I'm on vacation, > as he's eager to do more nSVM stuff. :D I fear that nested SVM is rife with TOCTTOU issues.
