iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/arch/x86/kvm
History
Paolo Bonzini d14bdb553f KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS 
MOV to DR6 or DR7 causes a #GP if an attempt is made to write a 1 to
any of bits 63:32.  However, this is not detected at KVM_SET_DEBUGREGS
time, and the next KVM_RUN oopses:

   general protection fault: 0000 [#1] SMP
   CPU: 2 PID: 14987 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1
   Hardware name: LENOVO 2325F51/2325F51, BIOS G2ET32WW (1.12 ) 05/30/2012
   [...]
   Call Trace:
    [<ffffffffa072c93d>] kvm_arch_vcpu_ioctl_run+0x141d/0x14e0 [kvm]
    [<ffffffffa071405d>] kvm_vcpu_ioctl+0x33d/0x620 [kvm]
    [<ffffffff81241648>] do_vfs_ioctl+0x298/0x480
    [<ffffffff812418a9>] SyS_ioctl+0x79/0x90
    [<ffffffff817a0f2e>] entry_SYSCALL_64_fastpath+0x12/0x71
   Code: 55 83 ff 07 48 89 e5 77 27 89 ff ff 24 fd 90 87 80 81 0f 23 fe 5d c3 0f 23 c6 5d c3 0f 23 ce 5d c3 0f 23 d6 5d c3 0f 23 de 5d c3 <0f> 23 f6 5d c3 0f 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00
   RIP  [<ffffffff810639eb>] native_set_debugreg+0x2b/0x40
    RSP <ffff88005836bd50>

Testcase (beautified/reduced from syzkaller output):

    #include <unistd.h>
    #include <sys/syscall.h>
    #include <string.h>
    #include <stdint.h>
    #include <linux/kvm.h>
    #include <fcntl.h>
    #include <sys/ioctl.h>

    long r[8];

    int main()
    {
        struct kvm_debugregs dr = { 0 };

        r[2] = open("/dev/kvm", O_RDONLY);
        r[3] = ioctl(r[2], KVM_CREATE_VM, 0);
        r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7);

        memcpy(&dr,
               "\x5d\x6a\x6b\xe8\x57\x3b\x4b\x7e\xcf\x0d\xa1\x72"
               "\xa3\x4a\x29\x0c\xfc\x6d\x44\x00\xa7\x52\xc7\xd8"
               "\x00\xdb\x89\x9d\x78\xb5\x54\x6b\x6b\x13\x1c\xe9"
               "\x5e\xd3\x0e\x40\x6f\xb4\x66\xf7\x5b\xe3\x36\xcb",
               48);
        r[7] = ioctl(r[4], KVM_SET_DEBUGREGS, &dr);
        r[6] = ioctl(r[4], KVM_RUN, 0);
    }

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
2016-06-02 17:38:50 +02:00
..
assigned-dev.c
KVM: x86: use list_for_each_entry*
2016-02-23 15:40:54 +01:00
assigned-dev.h
KVM: x86: move device assignment out of kvm_host.h
2014-11-24 16:53:50 +01:00
cpuid.c
KVM: x86: avoid vmalloc(0) in the KVM_SET_CPUID
2016-06-02 17:38:50 +02:00
cpuid.h
KVM, pkeys: expose CPUID/CR4 to guest
2016-03-22 16:38:17 +01:00
emulate.c
x86/kvm: Add stack frame dependency to fastop() inline asm
2016-05-10 18:16:50 +02:00
hyperv.c
KVM: Hyper-V: do not do hypercall userspace exits if SynIC is disabled
2016-04-01 12:10:09 +02:00
hyperv.h
kvm/x86: Hyper-V SynIC timers
2015-12-16 18:49:45 +01:00
i8254.c
KVM: i8254: drop local copy of mul_u64_u32_div
2016-03-04 22:39:17 +01:00
i8254.h
KVM: i8254: turn kvm_kpit_state.reinject into atomic_t
2016-03-04 09:30:25 +01:00
i8259.c
KVM: x86: clean/fix memory barriers in irqchip_in_kernel
2015-07-30 16:02:56 +02:00
ioapic.c
KVM: x86: Rename kvm_apic_get_reg to kvm_lapic_get_reg
2016-05-18 18:04:25 +02:00
ioapic.h
kvm: x86: Track irq vectors in ioapic->rtc_status.dest_map
2016-03-03 14:36:18 +01:00
iommu.c
treewide: Fix typos in printk
2016-04-18 11:23:24 +02:00
irq_comm.c
KVM: add missing memory barrier in kvm_{make,check}_request
2016-04-20 15:29:17 +02:00
irq.c
KVM: x86: consolidate "has lapic" checks into irq.c
2016-02-09 16:57:39 +01:00
irq.h
KVM: x86: consolidate different ways to test for in-kernel LAPIC
2016-02-09 16:57:45 +01:00
Kconfig
KVM: x86: select IRQ_BYPASS_MANAGER
2015-10-01 15:06:52 +02:00
kvm_cache_regs.h
KVM, pkeys: add pkeys support for permission_fault
2016-03-22 16:23:37 +01:00
lapic.c
KVM: x86: make hwapic_isr_update and hwapic_irr_update look the same
2016-05-18 18:04:32 +02:00
lapic.h
svm: Add VMEXIT handlers for AVIC
2016-05-18 18:04:29 +02:00
Makefile
KVM: page track: add the framework of guest page tracking
2016-03-03 14:36:20 +01:00
mmu_audit.c
kvm: rename pfn_t to kvm_pfn_t
2016-01-15 17:56:32 -08:00
mmu.c
KVM: x86: avoid write-tearing of TDP
2016-06-02 17:38:50 +02:00
mmu.h
KVM: MMU: fix permission_fault()
2016-04-10 21:53:49 +02:00
mmutrace.h
tracing: Rename ftrace_event.h to trace_events.h
2015-05-13 14:05:12 -04:00
mtrr.c
KVM: MTRR: remove MSR 0x2f8
2016-05-18 18:04:32 +02:00
page_track.c
KVM: page_track: fix access to NULL slot
2016-03-22 17:27:28 +01:00
paging_tmpl.h
KVM: MMU: fix permission_fault()
2016-04-10 21:53:49 +02:00
pmu_amd.c
KVM: x86/vPMU: Fix unnecessary signed extension for AMD PERFCTRn
2015-08-11 15:19:41 +02:00
pmu_intel.c
KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch
2015-06-23 14:12:14 +02:00
pmu.c
KVM: x86: consolidate different ways to test for in-kernel LAPIC
2016-02-09 16:57:45 +01:00
pmu.h
KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch
2015-06-23 14:12:14 +02:00
svm.c
- move kvm_stat tool from QEMU repo into tools/kvm/kvm_stat
2016-05-27 13:41:54 -07:00
trace.h
Small release overall.
2016-05-19 11:27:09 -07:00
tss.h
vmx.c
- move kvm_stat tool from QEMU repo into tools/kvm/kvm_stat
2016-05-27 13:41:54 -07:00
x86.c
KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS
2016-06-02 17:38:50 +02:00
x86.h
KVM, pkeys: add pkeys support for xsave state
2016-03-22 16:21:05 +01:00