Re: [PATCH v3 0/7] KVM: few more SMM fixes

[Paolo Bonzini]

On 22/09/21 17:52, Sean Christopherson wrote:
> On Wed, Sep 22, 2021, Paolo Bonzini wrote:
> > On 22/09/21 16:46, Sean Christopherson wrote:
> > > On Wed, Sep 22, 2021, Paolo Bonzini wrote:
> > > > On 13/09/21 16:09, Maxim Levitsky wrote:
> > > > >      KVM: x86: nVMX: re-evaluate emulation_required on nested VM exit
> > >
> > > ...
> > > > Queued, thanks.  However, I'm keeping patch 1 for 5.16 only.
> > >
> > > I'm pretty sure the above patch is wrong, emulation_required can simply be
> > > cleared on emulated VM-Exit.
> >
> > Are you sure?
>
> Pretty sure, but not 100% sure :-)
>
> > I think you can at least set the host segment fields to a data segment that
> > requires emulation.  For example the DPL of the host DS is hardcoded to zero,
> > but the RPL comes from the selector field and the DS selector is not
> > validated.
>
> HOST_DS_SEL is validated:
>
>    In the selector field for each of CS, SS, DS, ES, FS, GS and TR, the RPL
>    (bits 1:0) and the TI flag (bit 2) must be 0.

Ah, I think that's a bug in the manual.  In "27.5.2 Loading Host Segment 
and Descriptor-Table Registers" the reference to 26.3.1.2 should be 
26.2.3 ("Checks on Host Segment and Descriptor-Table Registers").  That 
one does cover all segment registers.  Hmm, who do we ask now about 
fixing Intel manuals?

So yeah, a WARN_ON_ONCE might be in order.  But I don't feel super safe 
making it false when it is possible to make KVM do something that is at 
least sensible.

Paolo

> > Therefore a subsequent vmentry could fail the access rights tests of 26.3.1.2
> > Checks on Guest Segment Registers:
>
> Yes, but this path is loading host state on VM-Exit.
>
> > DS, ES, FS, GS. The DPL cannot be less than the RPL in the selector field if
> > (1) the “unrestricted guest” VM-execution control is 0; (2) the register is
> > usable; and (3) the Type in the access-rights field is in the range 0 – 11
> > (data segment or non-conforming code segment).
> >
> > Paolo