• Dmitry Vyukov's avatar
    KVM: x86: fix fixing of hypercalls · ce2e852e
    Dmitry Vyukov authored
    emulator_fix_hypercall() replaces hypercall with vmcall instruction,
    but it does not handle GP exception properly when writes the new instruction.
    It can return X86EMUL_PROPAGATE_FAULT without setting exception information.
    This leads to incorrect emulation and triggers
    WARN_ON(ctxt->exception.vector > 0x1f) in x86_emulate_insn()
    as discovered by syzkaller fuzzer:
    
    WARNING: CPU: 2 PID: 18646 at arch/x86/kvm/emulate.c:5558
    Call Trace:
     warn_slowpath_null+0x2c/0x40 kernel/panic.c:582
     x86_emulate_insn+0x16a5/0x4090 arch/x86/kvm/emulate.c:5572
     x86_emulate_instruction+0x403/0x1cc0 arch/x86/kvm/x86.c:5618
     emulate_instruction arch/x86/include/asm/kvm_host.h:1127 [inline]
     handle_exception+0x594/0xfd0 arch/x86/kvm/vmx.c:5762
     vmx_handle_exit+0x2b7/0x38b0 arch/x86/kvm/vmx.c:8625
     vcpu_enter_guest arch/x86/kvm/x86.c:6888 [inline]
     vcpu_run arch/x86/kvm/x86.c:6947 [inline]
    
    Set exception information when write in emulator_fix_hypercall() fails.
    Signed-off-by: default avatarDmitry Vyukov <dvyukov@google.com>
    Cc: Paolo Bonzini <pbonzini@redhat.com>
    Cc: Radim Krčmář <rkrcmar@redhat.com>
    Cc: Wanpeng Li <wanpeng.li@hotmail.com>
    Cc: kvm@vger.kernel.org
    Cc: syzkaller@googlegroups.com
    Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
    ce2e852e
x86.c 219 KB