[PATCH v2] KVM: X86: Fix SMRAM accessing even if VM is shutdown

From: Wanpeng Li
Date: Thu Feb 08 2018 - 02:33:00 EST


From: Wanpeng Li <wanpengli@xxxxxxxxxxx>

Reported by syzkaller:

WARNING: CPU: 6 PID: 2434 at arch/x86/kvm/vmx.c:6660 handle_ept_misconfig+0x54/0x1e0 [kvm_intel]
CPU: 6 PID: 2434 Comm: repro_test Not tainted 4.15.0+ #4
RIP: 0010:handle_ept_misconfig+0x54/0x1e0 [kvm_intel]
Call Trace:
vmx_handle_exit+0xbd/0xe20 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0xdaf/0x1d50 [kvm]
kvm_vcpu_ioctl+0x3e9/0x720 [kvm]
do_vfs_ioctl+0xa4/0x6a0
SyS_ioctl+0x79/0x90
entry_SYSCALL_64_fastpath+0x25/0x9c

The syzkaller creates a former thread to issue KVM_SMI ioctl, and then creates
a latter thread to mmap and operate on the same vCPU, rsm emulation will not be
executed since there is no something like seabios which implements smi handler
when running syzkaller directly. This triggers a race condition when running
the testcase with multiple threads. Sometimes one thread exit w/ SHUTDOWN
reason, another thread mmaps and operates on the same vCPU, it continues to
use CS=0x30000, IP=0x8000 to access the address of SMI handler which results
in the above ept misconfig. This patch fixes it by returning RET_PF_EMULATE
in kvm_handle_bad_page() which would cause an emulation failure and then an
exit with KVM_EXIT_INTERNAL_ERROR, the VM will stop instead of resetting and
be taken advantage of.

Reported-by: syzbot+c1d9517cab094dae65e446c0c5b4de6c40f4dc58@xxxxxxxxxxxxxxxxxxxxxxxxx
Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Cc: Radim KrÄmÃÅ <rkrcmar@xxxxxxxxxx>
Signed-off-by: Wanpeng Li <wanpengli@xxxxxxxxxxx>
---
v1 -> v2:
* return RET_PF_EMULATE

arch/x86/kvm/mmu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c
index 8eca1d0..6c5a82c 100644
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -3029,7 +3029,7 @@ static int kvm_handle_bad_page(struct kvm_vcpu *vcpu, gfn_t gfn, kvm_pfn_t pfn)
return RET_PF_RETRY;
}

- return -EFAULT;
+ return RET_PF_EMULATE;
}

static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu,
--
2.7.4