[BUG] Nested Virtualization Bug on x86-64 AMD CPU

All the mail mirrored from lore.kernel.org
 help / color / mirror / Atom feed

From: Reima ISHII <ishiir@g.ecc.u-tokyo.ac.jp>
To: xen-devel@lists.xenproject.org
Cc: Takahiro Shinagawa <shina@ecc.u-tokyo.ac.jp>
Subject: [BUG] Nested Virtualization Bug on x86-64 AMD CPU
Date: Tue, 5 Dec 2023 22:51:56 +0900	[thread overview]
Message-ID: <CA+aCS-Ha4jSYFfxhOwMGiGJPdCOtgBJLt=3Q=v9dfp6SQJys4w@mail.gmail.com> (raw)

Dear Xen Development Team,

I am writing to report a bug that I have encountered in a Xen HVM
guest with nested virtualization.
Below is a detailed description of the bug, its potential impact, and
the environment in which it was observed.

[Bug Description]
The issue emerges when operating an HVM guest with nested
virtualization on an x86-64 AMD CPU, specifically in 64-bit mode (Long
Mode). The sequence to reproduce the bug is as follows:

1. Enable nestedhvm on an HVM guest.
2. In the L1 guest hypervisor, set CR0.PE, PG to 1 in VMCB12 and
execute  VMRUN, correctly resulting in a VM entry into the L2 guest.
3. In the L2 guest, perform a vmcall, which returns control back to
the L1 hypervisor.
4. Subsequently, while still in 64-bit mode, the L1 hypervisor just
changes the CR0.PG to 0 in VMCB12 and then executes VMRUN.

It is this specific action - executing VMRUN with CR0.PG set to 0 in
Long Mode - that triggers the BUG() within the
nsvm_vmcb_guest_intercepts_exitcode function in
arch/x86/hvm/svm/nestedsvm.c.
For an unknown reason, a vmexit occurs with the code 0x402, which is
flagged as an illegal exitcode, thus triggering the BUG().

[Potential Impact]
This bug presents a vulnerability that could allow a DoS attack from
the guest VM to the host hypervisor.

[Environment Details]
Here are the specs of the environment where the bug occurred:
- Xen Version: Xen-4.18-unstable (commit
290f82375d828ef93f831a5ef028f1283aa1ea47)
- Architecture: x86_64 (intel)

[Error Log]
(XEN) d1v0 Unexpected nested vmexit: reason 0x66
(XEN) d1v0 Unexpected nested vmexit: reason 0x7b
(XEN) d1v0 Unexpected nested vmexit: reason 0x7b
(XEN) d1v0 Unexpected nested vmexit: reason 0x7b
(XEN) d1v0 Unexpected nested vmexit: reason 0x7b
(XEN) arch/x86/hvm/svm/nestedsvm.c:982:d1v0 Illegal exitcode 0x402
(XEN) Xen BUG at arch/x86/hvm/svm/nestedsvm.c:983
(XEN) Debugging connection not set up.
(XEN) ----[ Xen-4.18-unstable  x86_64  debug=y gcov=y  Tainted:   C    ]----
(XEN) CPU:    10
(XEN) RIP:    e008:[<ffff82d0402997b8>]
arch/x86/hvm/svm/nestedsvm.c#nsvm_vmcb_guest_intercepts_exitcode+0x29e/0x4c1
(XEN) RFLAGS: 0000000000010202   CONTEXT: hypervisor (d1v0)
(XEN) rax: ffff830839bdd040   rbx: ffff83084f593000   rcx: 0000000000000008
(XEN) rdx: ffff830839bd7fff   rsi: ffff830839be5da8   rdi: ffff830839be5da0
(XEN) rbp: ffff830839bd7e48   rsp: ffff830839bd7e30   r8:  0000000000000001
(XEN) r9:  ffff830839be5da0   r10: 0000000000000001   r11: 0000000000000010
(XEN) r12: ffff83084f593000   r13: ffff83084f583000   r14: ffff83084f593000
(XEN) r15: 0000000000000001   cr0: 000000008005003b   cr4: 0000000000f506e0
(XEN) cr3: 000000084f6d4000   cr2: 0000000000000000
(XEN) fsb: 0000000000000000   gsb: ffff888490140000   gss: 0000000000000000
(XEN) ds: 0000   es: 0000   fs: 0000   gs: 0000   ss: 0000   cs: e008
(XEN) Xen code around <ffff82d0402997b8>
(arch/x86/hvm/svm/nestedsvm.c#nsvm_vmcb_guest_intercepts_exitcode+0x29e/0x4c1):
(XEN)  48 83 05 e0 ee 3b 00 01 <0f> 0b 48 83 05 de ee 3b 00 01 48 83 05 96 ee 3b
(XEN) Xen stack trace from rsp=ffff830839bd7e30:
(XEN)    0000000000000402 ffff83084f593000 ffff83084f583000 ffff830839bd7e70
(XEN)    ffff82d04029b052 0000000000000402 ffff830839bd7ef8 ffff83084f583000
(XEN)    ffff830839bd7ee8 ffff82d0402a1121 ffff82d0402a4afa ffff82d0402a4b00
(XEN)    ffff82d0402a4afa ffff82c0002d8000 ffff82d0402a4afa ffff82d0402a4b00
(XEN)    ffff82d0402a4afa ffff82d0402a4b00 ffff83084f593000 0000000000000000
(XEN)    0000000000000000 0000000000000000 0000000000000000 00007cf7c64280e7
(XEN)    ffff82d0402a4b4c 0000000000000000 0000000000000000 0000000000000000
(XEN)    0000000000000000 000000001f4604f7 0000000000000006 0000000000000000
(XEN)    0000000000000000 0000000000000000 0000000000000000 0000000000002040
(XEN)    00000000000004f7 0000000000000000 0000000000000000 000000001f467473
(XEN)    0000beef0000beef 000000000000ffff 000000bf0000beef 0000000000000082
(XEN)    0000000000000c62 000000000000beef 000000000000beef 000000000000beef
(XEN)    00000000ffffbeef 000000000000beef 0000e0100000000a ffff83084f593000
(XEN)    00000037f95a2000 0000000000f506e0 0000000000000000 0000000000000000
(XEN)    0000030300000000 0000000000000000
(XEN) Xen call trace:
(XEN)    [<ffff82d0402997b8>] R
arch/x86/hvm/svm/nestedsvm.c#nsvm_vmcb_guest_intercepts_exitcode+0x29e/0x4c1
(XEN)    [<ffff82d04029b052>] F nestedsvm_check_intercepts+0x29/0x214
(XEN)    [<ffff82d0402a1121>] F svm_vmexit_handler+0x351/0x2502
(XEN)    [<ffff82d0402a4b4c>] F svm_stgi_label+0x5/0x15
(XEN)
(XEN) debugtrace_dump() global buffer starting
1 cpupool_create(pool=0,sched=6)
2 Created cpupool 0 with scheduler SMP Credit Scheduler rev2 (credit2)
3 cpupool_add_domain(dom=0,pool=0) n_dom 1 rc 0
4-14 p2m: p2m_alloc_table(): allocating p2m table
15 cpupool_add_domain(dom=1,pool=0) n_dom 2 rc 0
(XEN) wrap: 0
(XEN) debugtrace_dump() global buffer finished
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 10:
(XEN) Xen BUG at arch/x86/hvm/svm/nestedsvm.c:983
(XEN) ****************************************
(XEN)

-- 
Graduate School of Information Science and Technology, The University of Tokyo
Reima Ishii
ishiir@g.ecc.u-tokyo.ac.jp

next             reply	other threads:[~2023-12-05 13:52 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-05 13:51 Reima ISHII [this message]
2023-12-05 14:43 ` [BUG] Nested Virtualization Bug on x86-64 AMD CPU Andrew Cooper
2023-12-06  3:05   ` Reima ISHII

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CA+aCS-Ha4jSYFfxhOwMGiGJPdCOtgBJLt=3Q=v9dfp6SQJys4w@mail.gmail.com' \
    --to=ishiir@g.ecc.u-tokyo.ac.jp \
    --cc=shina@ecc.u-tokyo.ac.jp \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.