On 06/25/2012 06:35 PM, Gleb Natapov wrote:
>>
>> Agree. Though the security issue is limited; the structure won't be
>> uninitialized, it would retain values from the previous call. So it's
>> limited to intra-guest vulnerabilities.
>>
> Yes, that's the kind I mean, not host crash. Intra-guest vulnerabilities
> should not be taken lightly. From guest POV they are like buggy CPUs
> that allows privilege escalation.
It's a smaller disaster; I didn't mean to minimize those issues.
>
>> >
>> >> Later we can extend x86_decode_insn() and the other
>> >> functions to follow the same rule.
>> >>
>> > What rule? We cannot not initialize a context. You can reduce things
>> > that should be initialized to minimum (getting GP registers on demand,
>> > etc), but still some initialization is needed since ctxt holds emulation
>> > state and it needs to be reset before each emulation.
>>
>> An alternative is to use two contexts, the base context only holds ops
>> and is the parameter to all the callbacks on the non-state APIs, the
>> derived context holds the state:
>>
>> struct x86_emulation_ctxt {
>> struct x86_ops *ops;
>> /* state that always needs to be initialized, preferablt none */
>> };
>>
>> struct x86_insn_ctxt {
>> struct x86_emulation_ctxt em;
>> /* instruction state */
>> }
>>
>> and so we have a compile-time split between users of the state and
>> non-users.
>>
> I do not understand how you will divide current ctxt structure between
> those two.
>
> Where will you put those for instance: interruptibility, have_exception,
> perm_ok, only_vendor_specific_insn and how can they not be initialized
> before each instruction emulation?
x86_emulate_ops::get_interruptibility()
x86_emulate_ops::set_interruptibility()
x86_emulate_ops::exception()
x86_decode_insn(struct x86_insn_ctxt *ctxt, unsigned flags)
{
ctxt->flags = flags;
ctxt->perm_ok = false;
}
In short, instruction emulation state is only seen by instruction
emulation functions, the others don't get to see it.
--
error compiling committee.c: too many arguments to function
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
