Commit 3dbe1415 authored by Avi Kivity's avatar Avi Kivity
Browse files

KVM: MMU: Segregate shadow pages with different cr0.wp 



When cr0.wp=0, we may shadow a gpte having u/s=1 and r/w=0 with an spte
having u/s=0 and r/w=1.  This allows excessive access if the guest sets
cr0.wp=1 and accesses through this spte.

Fix by making cr0.wp part of the base role; we'll have different sptes for
the two cases and the problem disappears.

Signed-off-by: default avatarAvi Kivity <avi@redhat.com>
Signed-off-by: default avatarMarcelo Tosatti <mtosatti@redhat.com>
parent a3d204e2

Documentation/kvm/mmu.txt

+2 −0
Original line number Diff line number Diff line
@@ -163,6 +163,8 @@ Shadow pages contain the following information: 
    32-bit or 64-bit gptes are in use).

  role.cr4_nxe:

    Contains the value of efer.nxe for which the page is valid.

  role.cr0_wp:

    Contains the value of cr0.wp for which the page is valid.

  gfn:

    Either the guest page table containing the translations shadowed by this

    page, or the base page frame for linear translations.  See role.direct.

arch/x86/include/asm/kvm_host.h

+1 −0
Original line number Diff line number Diff line
@@ -179,6 +179,7 @@ union kvm_mmu_page_role { 
		unsigned access:3;

		unsigned invalid:1;

		unsigned nxe:1;

		unsigned cr0_wp:1;

	};

};

arch/x86/kvm/mmu.c

+2 −1
Original line number Diff line number Diff line
@@ -217,7 +217,7 @@ void kvm_mmu_set_mask_ptes(u64 user_mask, u64 accessed_mask, 
}

EXPORT_SYMBOL_GPL(kvm_mmu_set_mask_ptes);



static int is_write_protection(struct kvm_vcpu *vcpu)

static bool is_write_protection(struct kvm_vcpu *vcpu)

{

	return kvm_read_cr0_bits(vcpu, X86_CR0_WP);

}
@@ -2432,6 +2432,7 @@ static int init_kvm_softmmu(struct kvm_vcpu *vcpu) 
		r = paging32_init_context(vcpu);



	vcpu->arch.mmu.base_role.cr4_pae = !!is_pae(vcpu);

	vcpu->arch.mmu.base_role.cr0_wp = is_write_protection(vcpu);



	return r;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE