Re: [PATCH V2] KVM: X86: MMU: Use the correct inherited permissions to get shadow page

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 03/06/21 19:59, Sean Christopherson wrote:
Maybe drop the first two paragraphs and combine the info into something like this?

   When computing the access permissions of a shadow page, use the effective
   permissions of the walk up to that point, i.e. the logic AND of its parents'
   permissions.  Two guest PxE entries that point at the same table gfn need to
   be shadowed with different shadow pages if their parents' permissions are
   different.  KVM currently uses the effective permissions of the last
   non-leaf entry for all non-leaf entries, which can lead to incorrectly
   reusing a shadow page if a lower-level entry has more restrictve permissions,
   and eventually result in a missing guest protection page fault.

And also a rewritten description of the sequence leading to the bug:

- First, the guest reads from ptr1 first and KVM prepares a shadow
  page table with role.access=u--, from ptr1's pud1 and ptr1's pmd1.
  "u--" comes from the effective permissions of pgd, pud1 and
  pmd1, which are stored in pt->access.  "u--" is used also to get
  the pagetable for pud1, instead of "uw-".

- Then the guest writes to ptr2 and KVM reuses pud1 which is present.
  The hypervisor set up a shadow page for ptr2 with pt->access is "uw-".
  However the pud1 pmdthe pud1 pmd (because of the incorrect argument to
  kvm_mmu_get_page in the previous step) has role.access="u--".

- Then the guest reads from ptr3.  The hypervisor reuses pud1's
  shadow pmd for pud2, because both use "u--" for their permissions.
  Thus, the shadow pmd already includes entries for both pmd1 and pmd2.

- At last, the guest writes to ptr4.  This causes no vmexit or pagefault,
  because pud1's shadow page structures included an "uw-" page even though
  its role.access was "u--".

Queued, thanks.

Paolo




[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux