Re: Potential Denial-of-Service Vulnerability in KVM When Emulating 'hlt' Instruction in L2 Guests
From: Sean Christopherson
Date: Fri Jan 17 2025 - 12:22:38 EST
Dropping Non-KVM folks/lists.
On Fri, Jan 17, 2025, C CHI wrote:
> I roughly understand the above content.
Heh, you top posted, so it's below.
https://people.kernel.org/tglx/notes-about-netiquette
> The main reason for this phenomenon seems to be the chaotic VM memory layout
> caused by the syzkaller template settings. In fact, it’s even observable that
> the IDT region in the code doesn’t actually contain any exception handling
> code, very amusing :)
>
> Additionally, I would like to ask about the previously mentioned point
> where the IDT is set in the emulated MMIO space. How can I verify
> this, and where can I find the relevant code for setting the MMIO
> region?
In KVM, any guest address that isn't covered by a memslot, a.k.a. a user memory
region, is treated as emulated MMIO.
> The guest loops because the the guest's IDT is located in emulated
> MMIO space,
> and as suspected above, KVM refuses to emulates HLT for L2.
>
>
> Also, I'm curious as to what technique is used to get the following
> type of logging information, and I'd like to be able to get each ENTRY
> and EXIT info on the run
The below comes from KVM's tracepoints. E.g. if tracefs is mounted at
/sys/kernel/debug/trace, all KVM tracepoints can be enabled via:
/sys/kernel/debug/tracing/events/kvm/enable
See Documentation/trace/tracepoints.rst for details on using tracepoints (or the
same info in the web version https://docs.kernel.org/trace/tracepoints.html).