Re: [PATCH] x86/kvm/vmx: Fix GPF on reading vmentry_l1d_flush
> From: MINOURA Makoto / 箕浦 真
> Date: 2018年8月22日周三 上午9:50
> Subject: [PATCH] x86/kvm/vmx: Fix GPF on reading vmentry_l1d_flush
> To:
> Cc:
>
>
>
> When EPT is not enabled, reading
> /sys/module/kvm_intel/parameters/vmentry_l1d_flush causes
> general protection fault in vmentry_l1d_flush_get() due to
> access beyond the end of the array vmentry_l1d_param[].
>
> Signed-off-by: Minoura Makoto
> ---
> arch/x86/include/asm/vmx.h | 1 +
> arch/x86/kvm/vmx.c | 4 +++-
> 2 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
> index 95f9107449bf..c4b834b05178 100644
> --- a/arch/x86/include/asm/vmx.h
> +++ b/arch/x86/include/asm/vmx.h
> @@ -581,6 +581,7 @@ enum vmx_l1d_flush_state {
> VMENTER_L1D_FLUSH_NEVER,
> VMENTER_L1D_FLUSH_COND,
> VMENTER_L1D_FLUSH_ALWAYS,
> + VMENTER_L1D_FLUSH_PARAM_MAX = VMENTER_L1D_FLUSH_ALWAYS,
> VMENTER_L1D_FLUSH_EPT_DISABLED,
> VMENTER_L1D_FLUSH_NOT_REQUIRED,
> };
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index 1519f030fd73..155ba2a9139f 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -204,6 +204,8 @@ static const struct {
> {"never", VMENTER_L1D_FLUSH_NEVER},
> {"cond",VMENTER_L1D_FLUSH_COND},
> {"always", VMENTER_L1D_FLUSH_ALWAYS},
> + {"ept-disabled", VMENTER_L1D_FLUSH_EPT_DISABLED},
> + {"not-required", VMENTER_L1D_FLUSH_NOT_REQUIRED},
> };
>
> #define L1D_CACHE_ORDER 4
> @@ -286,7 +288,7 @@ static int vmentry_l1d_flush_parse(const char *s)
> unsigned int i;
>
> if (s) {
> - for (i = 0; i < ARRAY_SIZE(vmentry_l1d_param); i++) {
> + for (i = 0; i <= VMENTER_L1D_FLUSH_PARAM_MAX; i++) {
> if (sysfs_streq(s, vmentry_l1d_param[i].option))
> return vmentry_l1d_param[i].cmd;
> }
Easy to reproduce. Thanks.
Tested-by: Jack Wang
--
Jack Wang
Linux Kernel Developer
ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin
Tel: +49 30 577 008 042
Fax: +49 30 577 008 299
Email:jinpu.w...@profitbricks.com
URL: https://www.profitbricks.de
Sitz der Gesellschaft: Berlin
Registergericht: Amtsgericht Charlottenburg, HRB 125506 B
Geschäftsführer: Achim Weiss, Matthias Steinberg, Christoph Steffens
Re: [PATCH] x86/kvm/vmx: Fix GPF on reading vmentry_l1d_flush
> From: MINOURA Makoto / 箕浦 真
> Date: 2018年8月22日周三 上午9:50
> Subject: [PATCH] x86/kvm/vmx: Fix GPF on reading vmentry_l1d_flush
> To:
> Cc:
>
>
>
> When EPT is not enabled, reading
> /sys/module/kvm_intel/parameters/vmentry_l1d_flush causes
> general protection fault in vmentry_l1d_flush_get() due to
> access beyond the end of the array vmentry_l1d_param[].
>
> Signed-off-by: Minoura Makoto
> ---
> arch/x86/include/asm/vmx.h | 1 +
> arch/x86/kvm/vmx.c | 4 +++-
> 2 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
> index 95f9107449bf..c4b834b05178 100644
> --- a/arch/x86/include/asm/vmx.h
> +++ b/arch/x86/include/asm/vmx.h
> @@ -581,6 +581,7 @@ enum vmx_l1d_flush_state {
> VMENTER_L1D_FLUSH_NEVER,
> VMENTER_L1D_FLUSH_COND,
> VMENTER_L1D_FLUSH_ALWAYS,
> + VMENTER_L1D_FLUSH_PARAM_MAX = VMENTER_L1D_FLUSH_ALWAYS,
> VMENTER_L1D_FLUSH_EPT_DISABLED,
> VMENTER_L1D_FLUSH_NOT_REQUIRED,
> };
> diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
> index 1519f030fd73..155ba2a9139f 100644
> --- a/arch/x86/kvm/vmx.c
> +++ b/arch/x86/kvm/vmx.c
> @@ -204,6 +204,8 @@ static const struct {
> {"never", VMENTER_L1D_FLUSH_NEVER},
> {"cond",VMENTER_L1D_FLUSH_COND},
> {"always", VMENTER_L1D_FLUSH_ALWAYS},
> + {"ept-disabled", VMENTER_L1D_FLUSH_EPT_DISABLED},
> + {"not-required", VMENTER_L1D_FLUSH_NOT_REQUIRED},
> };
>
> #define L1D_CACHE_ORDER 4
> @@ -286,7 +288,7 @@ static int vmentry_l1d_flush_parse(const char *s)
> unsigned int i;
>
> if (s) {
> - for (i = 0; i < ARRAY_SIZE(vmentry_l1d_param); i++) {
> + for (i = 0; i <= VMENTER_L1D_FLUSH_PARAM_MAX; i++) {
> if (sysfs_streq(s, vmentry_l1d_param[i].option))
> return vmentry_l1d_param[i].cmd;
> }
Easy to reproduce. Thanks.
Tested-by: Jack Wang
--
Jack Wang
Linux Kernel Developer
ProfitBricks GmbH
Greifswalder Str. 207
D - 10405 Berlin
Tel: +49 30 577 008 042
Fax: +49 30 577 008 299
Email:jinpu.w...@profitbricks.com
URL: https://www.profitbricks.de
Sitz der Gesellschaft: Berlin
Registergericht: Amtsgericht Charlottenburg, HRB 125506 B
Geschäftsführer: Achim Weiss, Matthias Steinberg, Christoph Steffens
[PATCH] x86/kvm/vmx: Fix GPF on reading vmentry_l1d_flush
When EPT is not enabled, reading
/sys/module/kvm_intel/parameters/vmentry_l1d_flush causes
general protection fault in vmentry_l1d_flush_get() due to
access beyond the end of the array vmentry_l1d_param[].
Signed-off-by: Minoura Makoto
---
arch/x86/include/asm/vmx.h | 1 +
arch/x86/kvm/vmx.c | 4 +++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index 95f9107449bf..c4b834b05178 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -581,6 +581,7 @@ enum vmx_l1d_flush_state {
VMENTER_L1D_FLUSH_NEVER,
VMENTER_L1D_FLUSH_COND,
VMENTER_L1D_FLUSH_ALWAYS,
+ VMENTER_L1D_FLUSH_PARAM_MAX = VMENTER_L1D_FLUSH_ALWAYS,
VMENTER_L1D_FLUSH_EPT_DISABLED,
VMENTER_L1D_FLUSH_NOT_REQUIRED,
};
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 1519f030fd73..155ba2a9139f 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -204,6 +204,8 @@ static const struct {
{"never", VMENTER_L1D_FLUSH_NEVER},
{"cond",VMENTER_L1D_FLUSH_COND},
{"always", VMENTER_L1D_FLUSH_ALWAYS},
+ {"ept-disabled", VMENTER_L1D_FLUSH_EPT_DISABLED},
+ {"not-required", VMENTER_L1D_FLUSH_NOT_REQUIRED},
};
#define L1D_CACHE_ORDER 4
@@ -286,7 +288,7 @@ static int vmentry_l1d_flush_parse(const char *s)
unsigned int i;
if (s) {
- for (i = 0; i < ARRAY_SIZE(vmentry_l1d_param); i++) {
+ for (i = 0; i <= VMENTER_L1D_FLUSH_PARAM_MAX; i++) {
if (sysfs_streq(s, vmentry_l1d_param[i].option))
return vmentry_l1d_param[i].cmd;
}
[PATCH] x86/kvm/vmx: Fix GPF on reading vmentry_l1d_flush
When EPT is not enabled, reading
/sys/module/kvm_intel/parameters/vmentry_l1d_flush causes
general protection fault in vmentry_l1d_flush_get() due to
access beyond the end of the array vmentry_l1d_param[].
Signed-off-by: Minoura Makoto
---
arch/x86/include/asm/vmx.h | 1 +
arch/x86/kvm/vmx.c | 4 +++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/vmx.h b/arch/x86/include/asm/vmx.h
index 95f9107449bf..c4b834b05178 100644
--- a/arch/x86/include/asm/vmx.h
+++ b/arch/x86/include/asm/vmx.h
@@ -581,6 +581,7 @@ enum vmx_l1d_flush_state {
VMENTER_L1D_FLUSH_NEVER,
VMENTER_L1D_FLUSH_COND,
VMENTER_L1D_FLUSH_ALWAYS,
+ VMENTER_L1D_FLUSH_PARAM_MAX = VMENTER_L1D_FLUSH_ALWAYS,
VMENTER_L1D_FLUSH_EPT_DISABLED,
VMENTER_L1D_FLUSH_NOT_REQUIRED,
};
diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
index 1519f030fd73..155ba2a9139f 100644
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -204,6 +204,8 @@ static const struct {
{"never", VMENTER_L1D_FLUSH_NEVER},
{"cond",VMENTER_L1D_FLUSH_COND},
{"always", VMENTER_L1D_FLUSH_ALWAYS},
+ {"ept-disabled", VMENTER_L1D_FLUSH_EPT_DISABLED},
+ {"not-required", VMENTER_L1D_FLUSH_NOT_REQUIRED},
};
#define L1D_CACHE_ORDER 4
@@ -286,7 +288,7 @@ static int vmentry_l1d_flush_parse(const char *s)
unsigned int i;
if (s) {
- for (i = 0; i < ARRAY_SIZE(vmentry_l1d_param); i++) {
+ for (i = 0; i <= VMENTER_L1D_FLUSH_PARAM_MAX; i++) {
if (sysfs_streq(s, vmentry_l1d_param[i].option))
return vmentry_l1d_param[i].cmd;
}
