Re: [PATCH] x86/kvm/vmx: Fix GPF on reading vmentry_l1d_flush

Jinpu Wang <jinpu.wang@xxxxxxxxxxxxxxxx> · Wed, 22 Aug 2018 10:32:35 +0200



> From: MINOURA Makoto / 箕浦 真 <minoura@xxxxxxxxxxxxx>
> Date: 2018年8月22日周三 上午9:50
> Subject: [PATCH] x86/kvm/vmx: Fix GPF on reading vmentry_l1d_flush
> To: <kvm@xxxxxxxxxxxxxxx>
> Cc: <linux-kernel@xxxxxxxxxxxxxxx>
>
>
>
> When EPT is not enabled, reading
> /sys/module/kvm_intel/parameters/vmentry_l1d_flush causes
> general protection fault in vmentry_l1d_flush_get() due to
> access beyond the end of the array vmentry_l1d_param[].
>
> Signed-off-by: Minoura Makoto <minoura@xxxxxxxxxxxxx>
> ---
>  arch/x86/include/asm/vmx.h | 1 +
>  arch/x86/kvm/vmx.c         | 4 +++-
>  2 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
> index 95f9107449bf..c4b834b05178 100644
> --- a/arch/x86/include/asm/vmx.h
> +++ b/arch/x86/include/asm/vmx.h
> @@ -581,6 +581,7 @@ enum vmx_l1d_flush_state {
>         VMENTER_L1D_FLUSH_NEVER,
>         VMENTER_L1D_FLUSH_COND,
>         VMENTER_L1D_FLUSH_ALWAYS,
> +       VMENTER_L1D_FLUSH_PARAM_MAX = VMENTER_L1D_FLUSH_ALWAYS,
>         VMENTER_L1D_FLUSH_EPT_DISABLED,
>         VMENTER_L1D_FLUSH_NOT_REQUIRED,
>  };
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index 1519f030fd73..155ba2a9139f 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -204,6 +204,8 @@ static const struct {
>         {"never",       VMENTER_L1D_FLUSH_NEVER},
>         {"cond",        VMENTER_L1D_FLUSH_COND},
>         {"always",      VMENTER_L1D_FLUSH_ALWAYS},
> +       {"ept-disabled", VMENTER_L1D_FLUSH_EPT_DISABLED},
> +       {"not-required", VMENTER_L1D_FLUSH_NOT_REQUIRED},
>  };
>
>  #define L1D_CACHE_ORDER 4
> @@ -286,7 +288,7 @@ static int vmentry_l1d_flush_parse(const char *s)
>         unsigned int i;
>
>         if (s) {
> -               for (i = 0; i < ARRAY_SIZE(vmentry_l1d_param); i++) {
> +               for (i = 0; i <= VMENTER_L1D_FLUSH_PARAM_MAX; i++) {
>                         if (sysfs_streq(s, vmentry_l1d_param[i].option))
>                                 return vmentry_l1d_param[i].cmd;
>                 }
Easy to reproduce. Thanks.
Tested-by: Jack Wang <jinpu.wang@xxxxxxxxxxxxxxxx>

--
Jack Wang
Linux Kernel Developer

ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin

Tel:       +49 30 577 008  042
Fax:      +49 30 577 008 299
Email:    jinpu.wang@xxxxxxxxxxxxxxxx
URL:      https://www.profitbricks.de

Sitz der Gesellschaft: Berlin
Registergericht: Amtsgericht Charlottenburg, HRB 125506 B
Geschäftsführer: Achim Weiss, Matthias Steinberg, Christoph Steffens