On Tue, Jun 21, 2022, Maxim Levitsky wrote:
> On 64 bit host, if the guest doesn't have X86_FEATURE_LM, we would
s/we would/KVM will
> access 16 gprs to 32-bit smram image, causing out-ouf-bound ram
> access.
>
> On 32 bit host, the rsm_load_state_64/enter_smm_save_state_64
> is compiled out, thus access overflow can't happen.
>
> Fixes: b443183a25ab61 ("KVM: x86: Reduce the number of emulator GPRs to '8' for 32-bit KVM")
Argh, I forgot that this one of the like five places KVM actually respects the
long mode flag. Even worse, I fixed basically the same thing a while back,
commit b68f3cc7d978 ("KVM: x86: Always use 32-bit SMRAM save state for 32-bit kernels").
We should really harden put_smstate() and GET_SMSTATE()...
> Signed-off-by: Maxim Levitsky <mlevitsk@xxxxxxxxxx>
> ---
Nits aside,
Reviewed-by: Sean Christopherson <seanjc@xxxxxxxxxx>
> arch/x86/kvm/emulate.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
> index 002687d17f9364..ce186aebca8e83 100644
> --- a/arch/x86/kvm/emulate.c
> +++ b/arch/x86/kvm/emulate.c
> @@ -2469,7 +2469,7 @@ static int rsm_load_state_32(struct x86_emulate_ctxt *ctxt,
> ctxt->eflags = GET_SMSTATE(u32, smstate, 0x7ff4) | X86_EFLAGS_FIXED;
> ctxt->_eip = GET_SMSTATE(u32, smstate, 0x7ff0);
>
> - for (i = 0; i < NR_EMULATOR_GPRS; i++)
> + for (i = 0; i < 8; i++)
> *reg_write(ctxt, i) = GET_SMSTATE(u32, smstate, 0x7fd0 + i * 4);
>
> val = GET_SMSTATE(u32, smstate, 0x7fcc);
> @@ -2526,7 +2526,7 @@ static int rsm_load_state_64(struct x86_emulate_ctxt *ctxt,
> u16 selector;
> int i, r;
>
> - for (i = 0; i < NR_EMULATOR_GPRS; i++)
> + for (i = 0; i < 16; i++)
> *reg_write(ctxt, i) = GET_SMSTATE(u64, smstate, 0x7ff8 - i * 8);
>
> ctxt->_eip = GET_SMSTATE(u64, smstate, 0x7f78);
> --
> 2.26.3
>
