> On Oct 13, 2014, at 2:31 PM, Gleb Natapov <[email protected]> wrote: > > On Mon, Oct 13, 2014 at 02:15:43AM +0300, Nadav Amit wrote: >> >> >> On 10/12/14 3:12 PM, Paolo Bonzini wrote: >>> Il 12/10/2014 08:57, Nadav Amit ha scritto: >>>> Looks good. I’ll give it a try but it is hard to give a definitive >>>> answer, since the emulator is still bug-ridden. >>> >>> Yes, we need to write unit tests for this, especially the conforming >>> case. A bit of a pain to get kvm-unit-tests in ring 3 (access.flat >>> does it), but I'll give it a shot. >>> >>> Paolo >>> >> >> I think the problem might be even more fundamental. >> According to the SDM, the privilege level checks (CPL/DPL/RPL) are only >> performed when the segment is loaded; I see no reference to privilege checks >> when data is accessed. >> You should be able to load a segment with DPL=0 while you are in CPL=0, then >> change CPL to 3 and still access the segment (obviously, it is not the best >> practice). >> >> In that case, all the privilege checks in __linearize are redundant and for >> some extent incorrect. >> Obviously, I am afraid to submit a patch that removes them, since if the >> privilege checks of __linearize are needed in certain case, this may >> introduce security problem. >> >> Do you agree? >> > 3a78a4f46302bfc83602a53dfa4dcbe76a7a1f5f removed RPL check from __linearize > already, so > you are probably right, but better verify it on real HW.
It turns far-ret cannot be used for such experiments, since it rechecks privilege and sets the segments which should be inaccessible (whose DPL is less than the new CPL) to NULL - see Intel SDM "5.8.6 Returning from a Called Procedure”. Using the sysexit, however, I managed to verify the behaviour - DS was loaded with a segment whose DPL=0, then sysexit was executed, and eventually DS was used to access memory (while CPL=3). Experiments were done using the kvm-unit-test environment; the memory accessing instruction was _not_ emulated. Accordingly, I’ll create a new version of this patch which removes all segment privilege checks in __linearize. Nadav-- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
