[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] x86emul: avoid triggering event related assertions

  • To: Jan Beulich <jbeulich@xxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • Date: Thu, 6 Apr 2023 16:33:29 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/Mfne7y8aweDKenSHNw4RzZCfFt4bGVZDOLeZa41Gvw=; b=ayOto2LOQc9204BfQIkSK2zCUlBls4PThcFA78KAFVgkDl9fFBWpw0E8cJDDsaG6lZ/9GviOhsx6cmdc6qsEx4/iDqc/6qpPWxhRQcoyXw7l309sYvV81wHGUPemy5fQx+3J60txSPSdY4vOvTKMLdKWoptD7+zwXcsG3C2WF5Wo4PwPUvrij5vZdz+gx2x3tAdgDArs1ZFH/ux7kXRHgKzfv/61d1ccaBco/tEGnO3hyrHKP9LeJGnEq/wvMDnkG1t6YffX8pXp0JKWKzkCZzI0jq+U2cBBe1q3JX/Ws9Sz+p2imq8RIf9uu+pWAkfE+il+40wmUzFMTTNNAkxfJQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jk8sq1R7IOBpxOMsa3cjL6R/waHwiG51bfOF9HEPca/tYEC3+v+iJ9eO30QrD4TKsJXyTg1QbbkEPM7fukg7PELHCdjT/b03WRc14EjQr2Hnm36rnYnMiImrM1wBA8jjJbYRRVGPZeSHiZv1hpoUqd7LsMtLGZv6IKO8ixyGwGuUmp8FXorWMxsgJZXt6eqAHS8KJFNDKNRUh+qgd+kEJpNF+Vdj6poMSq0Ix5sX/3ANGovVUKNzgN0kiVLpayz/McJpa75ThIa0MGj1dzZz66mbmhtsv0AiQepYZa1xmgxCXL6mbL4Bx7IJ+9PZFivDeDRg8KjqQ1vX5MM/iJ72GA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
  • Cc: Wei Liu <wl@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Delivery-date: Thu, 06 Apr 2023 15:33:59 +0000
  • Ironport-data: A9a23:sDCqw6OL+tNknYnvrR2IlsFynXyQoLVcMsEvi/4bfWQNrUp00DQBn WEaDWuHa67bZDfyf493a9+yo00DsZHXn9AySwto+SlhQUwRpJueD7x1DKtS0wC6dZSfER09v 63yTvGacajYm1eF/k/F3oDJ9CU6jufQAOKnUoYoAwgpLSd8UiAtlBl/rOAwh49skLCRDhiE/ Nj/uKUzAnf8s9JPGj9SuvLrRC9H5qyo42tE5gJmP5ingXeF/5UrJMNHTU2OByOQrrl8RoaSW +vFxbelyWLVlz9F5gSNy+uTnuUiG9Y+DCDW4pZkc/HKbitq/0Te5p0TJvsEAXq7vh3S9zxHJ HehgrTrIeshFvWkdO3wyHC0GQkmVUFN0OevzXRSLaV/ZqAJGpfh66wGMa04AWEX0thsHWFi+ 6EeFG4yfhODuumzypS6Y9A506zPLOGzVG8ekldJ6GiDSNoDH9XESaiM4sJE1jAtgMwIBezZe 8cSdTtoalLHfgFLPVAUTpk5mY9EhFGmK2Ee9A3T+PtxujeJpOBy+OGF3N79U9qGX8hK2G2fo XrL5T/RCRAGLt2PjzGC9xpAg8eWxX+nCdJOSezQGvhCkG2z/E0xWQAqCniF/+KTzXybXfxNA hlBksYphe1onKCxdfH/VRClpH+PvjYHRsFdVeY97Wml2qfSpgqUGGUAZjpAc8A98t87QyQw0 V2ElM+vAiZg2JWKTVqN+7HSqim9URX5NkcHbC4ACAcAvd/qpdhpigqVF4k5VqmoktfyBDf8h SiQqzQzjKkSishN0Lin+VfAgHSnoZ2hohMJ2zg7l1mNtmtRDLNJraTzgbQHxZ6s9Lqkc2Q=
  • Ironport-hdrordr: A9a23:ht85cKvHnzKYUtHPS3ka1WSK7skDp9V00zEX/kB9WHVpmwKj5q KTddAgpGfJYVcqKQgdcLW7VpVoLkm8yXcY2+ks1PKZLXLbUSiTXf5fBOjZslvd8k/Fh4pgPP xbAtRD4bTLZDAQ56uXjzVQUexQp+Vvm5rY4Ns2oU0dLj1CWuVF5wd9CgGUVmh3XhQuP+tGKH OF3Ls7m9O/QwVsUviG
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 06/04/2023 3:15 pm, Jan Beulich wrote:
> The assertion at the end of x86_emulate_wrapper() as well as the ones
> in x86_emul_{hw_exception,pagefault}() can trigger if we ignore
> X86EMUL_EXCEPTION coming back from certain hook functions.

Looking at the comment I wrote back then, I don't think I'd considered
this case.

What I was fixing at the time was the case where
hvm_inject_hw_exception() had raised an exception behind the back of the
emulator, and any subsequent exception escalates to #DF.

I guess the comment wants updating to discuss this problem too, where
the hook queued an exception but we didn't squash it properly when
deciding to ignore it.

As it's debugging-only anyway, it might be worth rearranging the
expression to be

if ( ctxt->event_pending )
    ASSERT(rc == X86EMUL_EXCEPTION);
else
    ASSERT(rc != X86EMUL_EXCEPTION);

because it distinguishes the two cases without an intermediate round of
debugging.

>  Squash
> exceptions when merely probing MSRs, plus on SWAPGS'es "best effort"
> error handling path.
>
> In adjust_bnd() add another assertion after the read_xcr(0, ...)
> invocation, paralleling the one in x86emul_get_fpu() - XCR0 reads should
> never fault when XSAVE is (implicitly) known to be available.
>
> Fixes: 14a6be89ec04 ("x86emul: correct EFLAGS.TF handling")
> Fixes: cb2626c75813 ("x86emul: conditionally clear BNDn for branches")
> Fixes: 6eb43fcf8a0b ("x86emul: support SWAPGS")
> Reported-by: AFL
> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
> ---
> EFER reads won't fault in any of the handlers we have, so in principle
> the respective check could be omitted (and hence has no Fixes: tag).
> Thoughts?

We already require LMA as input state, and don't have an execution model
where EFER is actually absent in the first place, so passing the whole
thing wouldn't really be an issue.

I have previously considered doing the same for CR0 too, but at best
it's marginal so I haven't got around to trying it.

> --- a/xen/arch/x86/x86_emulate/0fae.c
> +++ b/xen/arch/x86/x86_emulate/0fae.c
> @@ -67,7 +67,10 @@ int x86emul_0fae(struct x86_emulate_stat
>                      cr4 = X86_CR4_OSFXSR;
>                  if ( !ops->read_msr ||
>                       ops->read_msr(MSR_EFER, &msr_val, ctxt) != X86EMUL_OKAY 
> )
> +                {
> +                    x86_emul_reset_event(ctxt);

This is the only path you've introduced that doesn't restrict the reset
to the X86EMUL_EXCEPTION case.

In principle you can get things like RETRY for introspection. 
Internally, UNHANDLEABLE is used but I hope that never escapes from
guest_{rd,wr}msr().

~Andrew

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.