From 04aecf1372d30eb709d8de65152535ab66dcb74a Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 17 Apr 2024 00:55:45 +0200 Subject: Adding upstream version 7.0.16-dfsg. Signed-off-by: Daniel Baumann --- src/VBox/VMM/VMMAll/CPUMAllMsrs.cpp | 30 +++++++++++++++++++++++------- src/VBox/VMM/VMMAll/IOMAllMmioNew.cpp | 2 +- src/VBox/VMM/VMMAll/PGMAllGstSlatEpt.cpp.h | 17 +++++++++++++---- src/VBox/VMM/VMMAll/PGMAllPhys.cpp | 5 +++++ src/VBox/VMM/VMMAll/PGMAllPool.cpp | 29 +++++++++++++++++++++++++++++ src/VBox/VMM/VMMAll/VMXAllTemplate.cpp.h | 2 ++ 6 files changed, 73 insertions(+), 12 deletions(-) (limited to 'src/VBox/VMM/VMMAll') diff --git a/src/VBox/VMM/VMMAll/CPUMAllMsrs.cpp b/src/VBox/VMM/VMMAll/CPUMAllMsrs.cpp index 29a4e52d..ab8ba45c 100644 --- a/src/VBox/VMM/VMMAll/CPUMAllMsrs.cpp +++ b/src/VBox/VMM/VMMAll/CPUMAllMsrs.cpp @@ -1731,7 +1731,8 @@ static DECLCALLBACK(VBOXSTRICTRC) cpumMsrRd_Amd64SyscallFlagMask(PVMCPUCC pVCpu, static DECLCALLBACK(VBOXSTRICTRC) cpumMsrWr_Amd64SyscallFlagMask(PVMCPUCC pVCpu, uint32_t idMsr, PCCPUMMSRRANGE pRange, uint64_t uValue, uint64_t uRawValue) { RT_NOREF_PV(idMsr); RT_NOREF_PV(pRange); RT_NOREF_PV(uRawValue); - pVCpu->cpum.s.Guest.msrSFMASK = uValue; + /* The high bits are ignored and read-as-zero, writing to them does not raise #GP. See @bugref{10610}.*/ + pVCpu->cpum.s.Guest.msrSFMASK = uValue & UINT32_MAX; return VINF_SUCCESS; } @@ -1749,8 +1750,13 @@ static DECLCALLBACK(VBOXSTRICTRC) cpumMsrRd_Amd64FsBase(PVMCPUCC pVCpu, uint32_t static DECLCALLBACK(VBOXSTRICTRC) cpumMsrWr_Amd64FsBase(PVMCPUCC pVCpu, uint32_t idMsr, PCCPUMMSRRANGE pRange, uint64_t uValue, uint64_t uRawValue) { RT_NOREF_PV(idMsr); RT_NOREF_PV(pRange); RT_NOREF_PV(uRawValue); - pVCpu->cpum.s.Guest.fs.u64Base = uValue; - return VINF_SUCCESS; + if (X86_IS_CANONICAL(uValue)) + { + pVCpu->cpum.s.Guest.fs.u64Base = uValue; + return VINF_SUCCESS; + } + Log(("CPUM: wrmsr %s(%#x), %#llx -> #GP - not canonical\n", pRange->szName, idMsr, uValue)); + return VERR_CPUM_RAISE_GP_0; } @@ -1766,8 +1772,13 @@ static DECLCALLBACK(VBOXSTRICTRC) cpumMsrRd_Amd64GsBase(PVMCPUCC pVCpu, uint32_t static DECLCALLBACK(VBOXSTRICTRC) cpumMsrWr_Amd64GsBase(PVMCPUCC pVCpu, uint32_t idMsr, PCCPUMMSRRANGE pRange, uint64_t uValue, uint64_t uRawValue) { RT_NOREF_PV(idMsr); RT_NOREF_PV(pRange); RT_NOREF_PV(uRawValue); - pVCpu->cpum.s.Guest.gs.u64Base = uValue; - return VINF_SUCCESS; + if (X86_IS_CANONICAL(uValue)) + { + pVCpu->cpum.s.Guest.gs.u64Base = uValue; + return VINF_SUCCESS; + } + Log(("CPUM: wrmsr %s(%#x), %#llx -> #GP - not canonical\n", pRange->szName, idMsr, uValue)); + return VERR_CPUM_RAISE_GP_0; } @@ -1784,8 +1795,13 @@ static DECLCALLBACK(VBOXSTRICTRC) cpumMsrRd_Amd64KernelGsBase(PVMCPUCC pVCpu, ui static DECLCALLBACK(VBOXSTRICTRC) cpumMsrWr_Amd64KernelGsBase(PVMCPUCC pVCpu, uint32_t idMsr, PCCPUMMSRRANGE pRange, uint64_t uValue, uint64_t uRawValue) { RT_NOREF_PV(idMsr); RT_NOREF_PV(pRange); RT_NOREF_PV(uRawValue); - pVCpu->cpum.s.Guest.msrKERNELGSBASE = uValue; - return VINF_SUCCESS; + if (X86_IS_CANONICAL(uValue)) + { + pVCpu->cpum.s.Guest.msrKERNELGSBASE = uValue; + return VINF_SUCCESS; + } + Log(("CPUM: wrmsr %s(%#x), %#llx -> #GP - not canonical\n", pRange->szName, idMsr, uValue)); + return VERR_CPUM_RAISE_GP_0; } diff --git a/src/VBox/VMM/VMMAll/IOMAllMmioNew.cpp b/src/VBox/VMM/VMMAll/IOMAllMmioNew.cpp index c737bf1f..4a924f78 100644 --- a/src/VBox/VMM/VMMAll/IOMAllMmioNew.cpp +++ b/src/VBox/VMM/VMMAll/IOMAllMmioNew.cpp @@ -448,7 +448,7 @@ static VBOXSTRICTRC iomMMIODoComplicatedRead(PVM pVM, CTX_SUFF(PIOMMMIOENTRY) pR /* * Do DWORD read from the device. */ - uint32_t u32Value; + uint32_t u32Value = 0; VBOXSTRICTRC rcStrict2 = pRegEntry->pfnReadCallback(pRegEntry->pDevIns, pRegEntry->pvUser, !(pRegEntry->fFlags & IOMMMIO_FLAGS_ABS) ? offRegion & ~(RTGCPHYS)3 : GCPhys & ~(RTGCPHYS)3, diff --git a/src/VBox/VMM/VMMAll/PGMAllGstSlatEpt.cpp.h b/src/VBox/VMM/VMMAll/PGMAllGstSlatEpt.cpp.h index 410abae1..56895dfb 100644 --- a/src/VBox/VMM/VMMAll/PGMAllGstSlatEpt.cpp.h +++ b/src/VBox/VMM/VMMAll/PGMAllGstSlatEpt.cpp.h @@ -35,16 +35,25 @@ * @returns @c true if valid, @c false otherwise. * @param pVCpu The cross context virtual CPU structure of the calling EMT. * @param uEntry The EPT page table entry to check. + * + * @remarks Current this ASSUMES @c uEntry is present (debug asserted)! */ DECLINLINE(bool) PGM_GST_SLAT_NAME_EPT(WalkIsPermValid)(PCVMCPUCC pVCpu, uint64_t uEntry) { if (!(uEntry & EPT_E_READ)) { - Assert(!pVCpu->CTX_SUFF(pVM)->cpum.ro.GuestFeatures.fVmxModeBasedExecuteEpt); - Assert(!RT_BF_GET(pVCpu->pgm.s.uEptVpidCapMsr, VMX_BF_EPT_VPID_CAP_EXEC_ONLY)); - NOREF(pVCpu); - if (uEntry & (EPT_E_WRITE | EPT_E_EXECUTE)) + if (uEntry & EPT_E_WRITE) return false; + + /* + * Currently all callers of this function check for the present mask prior + * to calling this function. Hence, the execute bit must be set now. + */ + Assert(uEntry & EPT_E_EXECUTE); + Assert(!pVCpu->CTX_SUFF(pVM)->cpum.ro.GuestFeatures.fVmxModeBasedExecuteEpt); + if (pVCpu->pgm.s.uEptVpidCapMsr & VMX_BF_EPT_VPID_CAP_EXEC_ONLY_MASK) + return true; + return false; } return true; } diff --git a/src/VBox/VMM/VMMAll/PGMAllPhys.cpp b/src/VBox/VMM/VMMAll/PGMAllPhys.cpp index 457f7de0..9aa351d9 100644 --- a/src/VBox/VMM/VMMAll/PGMAllPhys.cpp +++ b/src/VBox/VMM/VMMAll/PGMAllPhys.cpp @@ -2504,6 +2504,11 @@ static VBOXSTRICTRC pgmPhysReadHandler(PVMCC pVM, PPGMPAGE pPage, RTGCPHYS GCPhy /* Release the PGM lock as MMIO handlers take the IOM lock. (deadlock prevention) */ PGM_UNLOCK(pVM); + /* If the access origins with a device, make sure the buffer is initialized + as a guard against leaking heap, stack and other info via badly written + MMIO handling. @bugref{10651} */ + if (enmOrigin == PGMACCESSORIGIN_DEVICE) + memset(pvBuf, 0xff, cb); rcStrict = pfnHandler(pVM, pVCpu, GCPhys, (void *)pvSrc, pvBuf, cb, PGMACCESSTYPE_READ, enmOrigin, uUser); PGM_LOCK_VOID(pVM); diff --git a/src/VBox/VMM/VMMAll/PGMAllPool.cpp b/src/VBox/VMM/VMMAll/PGMAllPool.cpp index 59f946e5..aec01623 100644 --- a/src/VBox/VMM/VMMAll/PGMAllPool.cpp +++ b/src/VBox/VMM/VMMAll/PGMAllPool.cpp @@ -4774,6 +4774,31 @@ DECLINLINE(void) pgmPoolTrackDerefNestedPDEpt(PPGMPOOL pPool, PPGMPOOLPAGE pPage } } + +/** + * Clear references to shadowed pages in a SLAT EPT PML4 table. + * + * @param pPool The pool. + * @param pPage The page. + * @param pShwPml4 The shadow PML4 table. + */ +DECLINLINE(void) pgmPoolTrackDerefNestedPML4(PPGMPOOL pPool, PPGMPOOLPAGE pPage, PEPTPML4 pShwPml4) +{ + Assert(PGMPOOL_PAGE_IS_NESTED(pPage)); + for (unsigned i = 0; i < RT_ELEMENTS(pShwPml4->a); i++) + { + X86PGPAEUINT const uPml4e = pShwPml4->a[i].u; + AssertMsg((uPml4e & (EPT_PML4E_MBZ_MASK | 0xfff0000000000f00)) == 0, ("uPml4e=%RX64\n", uPml4e)); + if (uPml4e & EPT_PRESENT_MASK) + { + PPGMPOOLPAGE pSubPage = (PPGMPOOLPAGE)RTAvloHCPhysGet(&pPool->HCPhysTree, uPml4e & EPT_PML4E_PG_MASK); + if (pSubPage) + pgmPoolTrackFreeUser(pPool, pSubPage, pPage->idx, i); + else + AssertFatalMsgFailed(("%RX64\n", uPml4e & X86_PML4E_PG_MASK)); + } + } +} #endif /* VBOX_WITH_NESTED_HWVIRT_VMX_EPT */ @@ -5122,6 +5147,10 @@ static void pgmPoolTrackDeref(PPGMPOOL pPool, PPGMPOOLPAGE pPage) case PGMPOOLKIND_EPT_PDPT_FOR_EPT_PDPT: pgmPoolTrackDerefPDPTEPT(pPool, pPage, (PEPTPDPT)pvShw); break; + + case PGMPOOLKIND_EPT_PML4_FOR_EPT_PML4: + pgmPoolTrackDerefNestedPML4(pPool, pPage, (PEPTPML4)pvShw); + break; #endif default: diff --git a/src/VBox/VMM/VMMAll/VMXAllTemplate.cpp.h b/src/VBox/VMM/VMMAll/VMXAllTemplate.cpp.h index 85db8a47..efd44121 100644 --- a/src/VBox/VMM/VMMAll/VMXAllTemplate.cpp.h +++ b/src/VBox/VMM/VMMAll/VMXAllTemplate.cpp.h @@ -9428,6 +9428,8 @@ HMVMX_EXIT_DECL vmxHCExitEptMisconfig(PVMCPUCC pVCpu, PVMXTRANSIENT pVmxTransien /* * Frequent exit or something needing probing. Call EMHistoryExec. */ + int rc2 = vmxHCImportGuestState(pVCpu, pVmcsInfo, __FUNCTION__); + AssertRCReturn(rc2, rc2); Log4(("EptMisscfgExit/%u: %04x:%08RX64: %RGp -> EMHistoryExec\n", pVCpu->idCpu, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip, GCPhys)); -- cgit v1.2.3