KVM: Add instruction fetch checking when walking guest page table

This patch adds instruction fetch checking when walking guest page table, to implement SMEP when emulating instead of executing natively. Signed-off-by: N Yang, Wei <wei.y.yang@intel.com> Signed-off-by: N Shan, Haitao <haitao.shan@intel.com> Signed-off-by: N Li, Xin <xin.li@intel.com> Signed-off-by: N Avi Kivity <avi@redhat.com>

KVM: Add instruction fetch checking when walking guest page table
This patch adds instruction fetch checking when walking guest page table, to implement SMEP when emulating instead of executing natively. Signed-off-by: N Yang, Wei <wei.y.yang@intel.com> Signed-off-by: N Shan, Haitao <haitao.shan@intel.com> Signed-off-by: N Li, Xin <xin.li@intel.com> Signed-off-by: N Avi Kivity <avi@redhat.com>
e57d4a35 · Yang, Wei Y · Avi Kivity · 611c120f · e57d4a35
隐藏空白更改
内联并排

Showing with 8 addition and 1 deletion

arch/x86/kvm/paging_tmpl.h arch/x86/kvm/paging_tmpl.h +8 -1

未找到文件。
--- a/arch/x86/kvm/paging_tmpl.h
+++ b/arch/x86/kvm/paging_tmpl.h
@@ -246,6 +246,12 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
 			gfn_t gfn;
 			u32 ac;

+			/* check if the kernel is fetching from user page */
+			if (unlikely(pte_access & PT_USER_MASK) &&
+			    kvm_read_cr4_bits(vcpu, X86_CR4_SMEP))
+				if (fetch_fault && !user_fault)
+					eperm = true;
+
 			gfn = gpte_to_gfn_lvl(pte, lvl);
 			gfn += (addr & PT_LVL_OFFSET_MASK(lvl)) >> PAGE_SHIFT;

@@ -305,7 +311,8 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,

 	walker->fault.error_code |= write_fault | user_fault;

-	if (fetch_fault && mmu->nx)
+	if (fetch_fault && (mmu->nx ||
+			    kvm_read_cr4_bits(vcpu, X86_CR4_SMEP)))
 		walker->fault.error_code |= PFERR_FETCH_MASK;
 	if (rsvd_fault)
 		walker->fault.error_code |= PFERR_RSVD_MASK;