>-----Original Message----- >From: Sean Christopherson <seanjc@xxxxxxxxxx> >Sent: Wednesday, September 8, 2021 8:08 AM >To: Duan, Zhenzhong <zhenzhong.duan@xxxxxxxxx> >Cc: kvm@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx; >pbonzini@xxxxxxxxxx; vkuznets@xxxxxxxxxx; wanpengli@xxxxxxxxxxx; >jmattson@xxxxxxxxxx; joro@xxxxxxxxxx >Subject: Re: [PATCH] KVM: VMX: Fix a TSX_CTRL_CPUID_CLEAR field mask >issue > >On Mon, Sep 06, 2021, Zhenzhong Duan wrote: >> Host value of TSX_CTRL_CPUID_CLEAR field should be unchangable by >> guest, but the mask for this purpose is set to a wrong value. So it >> doesn't take effect. > >It would be helpful to provide a bit more info as to just how bad/boneheaded >this bug is. E.g. > > When updating the host's mask for its MSR_IA32_TSX_CTRL user return entry, > clear the mask in the found uret MSR instead of vmx->guest_uret_msrs[i]. > Modifying guest_uret_msrs directly is completely broken as 'i' does not > point at the MSR_IA32_TSX_CTRL entry. In fact, it's guaranteed to be an > out-of-bounds accesses as is always set to kvm_nr_uret_msrs in a prior > loop. By sheer dumb luck, the fallout is limited to "only" failing to > preserve the host's TSX_CTRL_CPUID_CLEAR. The out-of-bounds access is > benign as it's guaranteed to clear a bit in a guest MSR value, which are > always zero at vCPU creation on both x86-64 and i386. Sorry for late response, I missed this mail by a wrong mail rule. Your comment is more clear, I'll use it in v2. Thanks Zhenzhong
