Sean Christopherson <seanjc@xxxxxxxxxx> writes:
> Bug the VM if KVM's emulator attempts to inject a bogus exception vector.
> The guest is likely doomed even if KVM continues on, and propagating a
> bad vector to the rest of KVM runs the risk of breaking other assumptions
> in KVM and thus triggering a more egregious bug.
>
> All existing users of emulate_exception() have hardcoded vector numbers
> (__load_segment_descriptor() uses a few different vectors, but they're
> all hardcoded), and future users are likely to follow suit, i.e. the
> change to emulate_exception() is a glorified nop.
>
> As for the ctxt->exception.vector check in x86_emulate_insn(), the few
> known times the WARN has been triggered in the past is when the field was
> not set when synthesizing a fault, i.e. for all intents and purposes the
> check protects against consumption of uninitialized data.
>
> Signed-off-by: Sean Christopherson <seanjc@xxxxxxxxxx>
> ---
> arch/x86/kvm/emulate.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index 70a8e0cd9fdc..2aa17462a9ac 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -624,7 +624,9 @@ static unsigned long seg_base(struct x86_emulate_ctxt *ctxt, int seg)
> static int emulate_exception(struct x86_emulate_ctxt *ctxt, int vec,
> u32 error, bool valid)
> {
> - WARN_ON(vec > 0x1f);
> + if (KVM_EMULATOR_BUG_ON(vec > 0x1f, ctxt))
> + return X86EMUL_UNHANDLEABLE;
> +
> ctxt->exception.vector = vec;
> ctxt->exception.error_code = error;
> ctxt->exception.error_code_valid = valid;
> @@ -5728,7 +5730,8 @@ int x86_emulate_insn(struct x86_emulate_ctxt *ctxt)
>
> done:
> if (rc == X86EMUL_PROPAGATE_FAULT) {
> - WARN_ON(ctxt->exception.vector > 0x1f);
> + if (KVM_EMULATOR_BUG_ON(ctxt->exception.vector > 0x1f, ctxt))
> + return EMULATION_FAILED;
> ctxt->have_exception = true;
> }
> if (rc == X86EMUL_INTERCEPTED)
Reviewed-by: Vitaly Kuznetsov <vkuznets@xxxxxxxxxx>
--
Vitaly
