Xen project Mailing List

[PATCH] x86emul: avoid triggering event related assertions

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Date: Thu, 6 Apr 2023 16:15:33 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rKDn1HJCVNxFcLW7Fft9AEmNPUbO0XRVtYZ2AEuomUo=; b=AKLNwFd5fzybubhcbxeZ0lYFNTO4vlCHCJ1QOvvb7nOCQHLYsdBcYGPdljoWOKNs2zK7gkv2x5v3EEIT/bG7QPbaum0oyulrZaVa1hvq6G04O2EnP231ZfutNWxez2WaxYL8wijSIwAIanHtCF0PlHp5euj/2ETsTe7r6VIqzRJMW+d6uDP9xsRRpsURDBYz50zPx0gifgZzSvCNi1eUlZOSJb9LybKnRSsKnsANKh8IlWA8o4ZiJbzKTnonyO3qKVFllJStWSK29KW9nVmPpDg9t8OwVouoequev9cD/voWOBLZcJQMCTcyHvMWMJzFf8HwuUy8gNWRnsu8UqQNyQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Sn7gxKHobU4Ut8MWGKwol4LpnWNoQlZU71kdMMIedIPd6AAm6qcsx51LVtUceaLDSuheBy05qW+gdr/kXzq6Cw6UJ7ntQnIN5A5QQP65SHCMbkxzdOZV9whg9qLbLAEnyvAWKVDKqAs58kK72F4z3YtRVCeWhY4LuI/IhmIWVE7yDWS9bIpVyvUErnutNoI0lXrNbnDyKnZufySzxikmsKSITxjSSS+t3MODt2H58PwBVKEz1XncOcdCcgtxJMFfgrBhnSHwzqJQcfAIiB0SVczkQVz2HywSJdP6BApJoCipzQNOb5QdmADr+6oMFOGGEk/jgZI53z9/rulz/JrVGA==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>

Delivery-date: Thu, 06 Apr 2023 14:15:54 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

The assertion at the end of x86_emulate_wrapper() as well as the ones in x86_emul_{hw_exception,pagefault}() can trigger if we ignore X86EMUL_EXCEPTION coming back from certain hook functions. Squash exceptions when merely probing MSRs, plus on SWAPGS'es "best effort" error handling path. In adjust_bnd() add another assertion after the read_xcr(0, ...) invocation, paralleling the one in x86emul_get_fpu() - XCR0 reads should never fault when XSAVE is (implicitly) known to be available. Fixes: 14a6be89ec04 ("x86emul: correct EFLAGS.TF handling") Fixes: cb2626c75813 ("x86emul: conditionally clear BNDn for branches") Fixes: 6eb43fcf8a0b ("x86emul: support SWAPGS") Reported-by: AFL Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> --- EFER reads won't fault in any of the handlers we have, so in principle the respective check could be omitted (and hence has no Fixes: tag). Thoughts? The Fixes: tags are for the commits introducing the affected code; I'm not entirely sure whether the raising of exceptions from hook functions actually pre-dates them, but even if not the issues were at least latent ones already before. --- a/xen/arch/x86/x86_emulate/0f01.c +++ b/xen/arch/x86/x86_emulate/0f01.c @@ -198,8 +198,10 @@ int x86emul_0f01(struct x86_emulate_stat if ( (rc = ops->write_segment(x86_seg_gs, &sreg, ctxt)) != X86EMUL_OKAY ) { - /* Best effort unwind (i.e. no error checking). */ - ops->write_msr(MSR_SHADOW_GS_BASE, msr_val, ctxt); + /* Best effort unwind (i.e. no real error checking). */ + if ( ops->write_msr(MSR_SHADOW_GS_BASE, msr_val, + ctxt) == X86EMUL_EXCEPTION ) + x86_emul_reset_event(ctxt); goto done; } break; --- a/xen/arch/x86/x86_emulate/0fae.c +++ b/xen/arch/x86/x86_emulate/0fae.c @@ -67,7 +67,10 @@ int x86emul_0fae(struct x86_emulate_stat cr4 = X86_CR4_OSFXSR; if ( !ops->read_msr || ops->read_msr(MSR_EFER, &msr_val, ctxt) != X86EMUL_OKAY ) + { + x86_emul_reset_event(ctxt); msr_val = 0; + } if ( !(cr4 & X86_CR4_OSFXSR) || (mode_64bit() && mode_ring0() && (msr_val & EFER_FFXSE)) ) s->op_bytes = offsetof(struct x86_fxsr, xmm[0]); --- a/xen/arch/x86/x86_emulate/x86_emulate.c +++ b/xen/arch/x86/x86_emulate/x86_emulate.c @@ -1177,10 +1177,18 @@ static bool is_branch_step(struct x86_em const struct x86_emulate_ops *ops) { uint64_t debugctl; + int rc = X86EMUL_UNHANDLEABLE; - return ops->read_msr && - ops->read_msr(MSR_IA32_DEBUGCTLMSR, &debugctl, ctxt) == X86EMUL_OKAY && - (debugctl & IA32_DEBUGCTLMSR_BTF); + if ( !ops->read_msr || + (rc = ops->read_msr(MSR_IA32_DEBUGCTLMSR, &debugctl, + ctxt)) != X86EMUL_OKAY ) + { + if ( rc == X86EMUL_EXCEPTION ) + x86_emul_reset_event(ctxt); + debugctl = 0; + } + + return debugctl & IA32_DEBUGCTLMSR_BTF; } static void adjust_bnd(struct x86_emulate_ctxt *ctxt, @@ -1194,13 +1202,21 @@ static void adjust_bnd(struct x86_emulat if ( !ops->read_xcr || ops->read_xcr(0, &xcr0, ctxt) != X86EMUL_OKAY || !(xcr0 & X86_XCR0_BNDREGS) || !(xcr0 & X86_XCR0_BNDCSR) ) + { + ASSERT(!ctxt->event_pending); return; + } if ( !mode_ring0() ) bndcfg = read_bndcfgu(); else if ( !ops->read_msr || - ops->read_msr(MSR_IA32_BNDCFGS, &bndcfg, ctxt) != X86EMUL_OKAY ) + (rc = ops->read_msr(MSR_IA32_BNDCFGS, &bndcfg, + ctxt)) != X86EMUL_OKAY ) + { + if ( rc == X86EMUL_EXCEPTION ) + x86_emul_reset_event(ctxt); return; + } if ( (bndcfg & IA32_BNDCFGS_ENABLE) && !(bndcfg & IA32_BNDCFGS_PRESERVE) ) { /*

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.